El Correo Electrónico De #Phishing Perfecto

AMSTERDAM, 26 de Mayo, 2010 – Los errores de seguridad en redes sociales en línea permiten el robo de identidad y alimentan las bases de datos de los spammers.

¿Ha recibido ya propaganda sobre pastillas de Viagra proveniente de sus amigos en Myspace? ¿Le han informado también a través del facebook que ha heredado una gran cantidad de dinero del recientemente fallecido Primer Ministro de África Central? Si este es el caso, la probabilidad es que usted sea el afortunado entre 1/300 personas que han sido expuestas a errores de seguridad en redes sociales en línea.

El proveedor de seguridad de correos electrónicos holandés SpamExperts investigó recientemente la extensión en la que los spammers usan en realidad las redes sociales en línea como facebook, twitter, Myspace y similares, con el fin de apuntar a miembros de estas redes para el envío de spam. Una falla de seguridad conocida, por ejemplo, es que a pesar de que los usuarios habían marcado sus fechas de nacimiento como ‘información privada’, los phishers fueron capaces de verlas mediante el envió de un enlace especial a los usuarios que no sospechaban nada.

El CTO de SpamExperts, van Donselaar, añade: “En redes en línea complejas como los sitios de redes sociales, siempre existirá el riesgo de que se escape información. Este peligro está en la naturaleza misma de estas redes de conectar personas y compartir información entre amigos y otros con la misma forma de pensar. Esto, sin embargo, también significa que ‘los spammers’ están escuchando y buscando formas de obtener ganancias de los usuarios que no son cuidadosos.”.

Recientemente, 1.5 millones de cuentas de facebook estuvieron disponibles para cualquiera que deseara adquirirlas a un precio de $25 – $45 por cada 1,000 cuentas. Aproximadamente, 700,000 se han vendido ya con el único propósito de obtener mediante email fraudulento (phishing) los datos privados de usuarios y conexiones de amigos. Luego, las direcciones de correos electrónicos encontrados vía las redes se revenderán en el mercado de spam puesto que son altamente precisas y tienen incluso nombres e información privada adjuntos a ellas. Esto hace extremadamente fácil para los spammers montar el email de embuste o phishing perfecto. Sólo un filtro de spam profesional será capaz de detectar fácilmente y poner estos mensajes no solicitados en cuarentena para prevenir al usuario del peligro involucrado.

El caso más famoso de un spammer atrapado en facebook fue el de un spammer con base en Montreal llamado Adam Guerbuez. Se le impuso una multa record de $873 millones en el 2008, luego de que pirateara y enviara mensajes sexualmente explícitos a millones de cuentas de usuarios en el sitio de red social.

Acerca de SpamExperts

SpamExperts es el principal proveedor de soluciones de seguridad de correos electrónicos de Ámsterdam. Desde el año 2004, SpamExperts ha estado incrementando su clientela en Europa, las Américas, África y Australia, y en el ínterin se ha convertido en el líder del mercado en un número de países. Todas las soluciones se desarrollan dentro de la empresa y se ofrecen vía SaaS o se instalan directamente en la infraestructura del cliente como un software administrado. El precio para filtrado de correo entrante comienza en USD 0.30/ Dominio/ Año, sin limitaciones de usuario o buzón de entradas. Los últimos suplementos al portafolio del producto son un servidor de filtro de correo saliente, así como un producto de archivo de correos.

–

FIN NOTA DE PRENSA

Fuente: http://tinyurl.com/24xpsl8

Tabnabbing; #phishing a través de las pestañas del navegador

Acá les dejo un articulo extraido del La Comunidad DragonJAR 

Tabnabbing; phishing a través de las pestañas del navegador

-----------------------------------------------------------

Aza Raskin ha desvelado un nuevo método de modificación de páginas en

pestañas del navegador (afecta a casi todos) que puede ser utilizado

para realizar ataques de phishing un poco más sofisticados. Está basado

en una técnica que permite modificar el aspecto de una página cuando no

tiene el "foco" de la pestaña del navegador. El ataque es ingenioso,

aunque tiene sus limitaciones.

Cómo funciona

Un usuario navega hacia la página del atacante, que no tiene por qué

simular ningún banco o página de login. Simplemente es una página más

equipada con un código JavaScript que hará el "truco". La víctima cambia

de pestaña (o de programa, lo importante es que pierda el foco) y sigue

con sus visitas cotidianas a otras páginas. Mientras, la web del

atacante cambia por completo gracias al JavaScript: el favicon, el

título, el cuerpo... todo excepto el dominio, lógicamente. La página

ahora podría parecerse a (por ejemplo) la web de login de Gmail. La

víctima, vuelve a la pestaña más tarde y piensa que ha caducado su

sesión. Introduce su contraseña y ésta viaja hacia el atacante.

Se supone que el usuario bajará la guardia puesto que, hasta ahora, se

supone que una pestaña no "muta" a nuestras espaldas y por tanto, si

aparece como "Gmail", por ejemplo, es que lo hemos visitado previamente.

Los usuarios que mantengan habitualmente muchas pestañas abiertas, saben

que es fácil olvidar qué se está visitando exactamente en cada momento.

Mejoras al ataque

Según el propio descubridor, se podría investigar en el historial de CSS

del navegador para averiguar qué páginas visita el usuario y mostrarse

como una de ellas dinámicamente, para hacer más efectivo el ataque.

Existen otros métodos para incluso averiguar en qué sitios está

realmente autenticado el usuario, con lo que la técnica resultaría más

efectiva.

Si el atacante consigue incrustar JavaScript en la web real que se

quiere falsificar (por ejemplo a través de publicidad contratada a

terceros) entonces la página cambiaría sobre el dominio real... y

entonces sí supondría un ataque "casi perfecto".

En directo

El descubridor, en su entrada

A New Type of Phishing Attack Aza on Design, ha

colgado una prueba de concepto. Si se visita esa web, se pasa a otra

pestaña durante 5 segundos (tiempo arbitrario impuesto por el

descubridor), y se vuelve, mostrará una imagen de Gmail que toma de

http://img.skitch.com/20100524-b639x...pch2387ene.png

superpuesta sobre la página. Cambiará el favicon y el título.

Obviamente, el ataque en este ejemplo está específicamente diseñado

para que sea "visible".

Qué aporta el ataque

Supone un método ingenioso y nuevo de intentar suplantar una página.

Funciona en Firefox, Opera y (de forma un poco irregular) en Internet

Explorer 8. Parece que Chrome no es vulnerable, aunque es posible que

aparezcan métodos para que sí lo sea.

Limitaciones

El ataque sigue confiando en que el usuario no tenga en cuenta la URL,

por tanto, cuando la víctima vuelve a la pestaña, estaría ante un caso

de phishing "tradicional" sino fuera porque la pestaña cambió "a sus

espaldas". Realmente pensamos que no será un ataque puesto en práctica

de forma masiva por los atacantes, aunque obviamente puede ser utilizado

selectivamente. La razón es que el phishing tradicional, burdo y sin

trucos, sigue funcionando y reportando importantes beneficios a quienes

lo ponen en práctica sin mayores complicaciones técnicas. Y ambos se

basan en que el usuario medio no aprovecha los beneficios de los

certificados ni se fija en las URLs donde introduce las contraseñas.

Un ataque "parecido" basado en la superposición de páginas en una web

conocida, fue descrito por Hispasec en mayo de 2005. En esa ocasión se

escribió "Nueva generación de phishing rompe todos los esquemas" porque

en estos casos, la URL del sitio falso (y el certificado) coincidía con

la real, esto es: realmente se estaba visitando la web real, y la

falsificada se "ponía" encima. Obviamente, este ataque necesitaba de una

vulnerabilidad de Cross Site Scripting en la web original. Por desgracia

el XSS es el tipo de error más común en estos días, tanto en bancos como

en otras páginas importantes que trabajan con credenciales. A pesar de

lo efectivo del ataque, no se observaron ataques masivos basados en esa

técnica.

Mitigación

Para no sufrir el "tabnabbing", es necesario fijarse en las URLs antes

de introducir contraseñas, como siempre. Desactivar JavaScript para las

páginas en las que no se confíe, ya sea a través de la Zonas para

Internet Explorer o No-Script para Firefox.

Opina sobre esta noticia:

Hispasec - Seguridad Informática

Más información:

A New Type of Phishing Attack

A New Type of Phishing Attack Aza on Design

Nueva generación de phishing rompe todos los esquemas

www.hispasec.com/unaaldia/2406

Fuente: http://tinyurl.com/282xlj4

SSH tunnel with #PuTTY

What follow is how to set up as SSH tunnel using PuTTY with the MySQL port (3306) forwarded as an example. After completing this how-to you'll have port 3306 on your local machine listening and forwarding to your remote server's localhost on port 3306. Thus effectively you can connect to the remote server's MySQL database as though it were running on your local box.

Prerequisites

This how-to assumes your MySQL installation has enabled listening to a TCP/IP connection. Only listening on 127.0.0.1 is required (and the default as of MySQL 4.1). Although beyond the scope of this how-to, you can verify the server's listening by using mysql -h 127.0.0.1 rest of options on the server. Look for bind-address = 127.0.0.1 and skip-networking = 0 in your /etc/mysql/my.cnf. Also, a trouble-shooting guide.

To achieve the same with PostgreSQL simply use PostgreSQL's default port, 5432. psql -h 127.0.0.1 rest of options to test;/etc/postgresql/pg_hba.conf and the manual as pointers for configuration.

Set up the tunnel

Create a session in PuTTY and then select the Tunnels tab in the SSH section. In the Source port text box enter 3306. This is the port PuTTY will listen on on your local machine. It can be any standard Windows-permitted port. In the Destination field immediately below Source port enter 127.0.0.1:3306. This means, from the server, forward the connection to IP 127.0.0.1 port 3306. MySQL by default listens on port 3306 and we're connecting directly back to the server itself, i.e. 127.0.0.1. Another common scenario is to connect with PuTTY to an outward-facing firewall and then your Destination might be the private IP address of the database server.

Add the tunnel

Click the Add button and the screen should look like this...

Save the session

Unfortunately PuTTY does not provide a handy ubiquitous Save button on all tabs so you have to return to the Session tab and click Save...

Open the session

Click Open (or press Enter), login, and enjoy!

Here for reference is an example connection using MySQL Adminstrator going to localhost: note the Server Host address of 127.0.0.1 which will be transparently forwarded.

Source: http://realprogrammers.com/how_to/set_up_an_ssh_tunnel_with_putty.html

Robo de información, una amenaza en la red: #phishing

13 Abril 2010

Una de las principales amenazas en la red para 2010 será el robo de información mediante el envío de un correo electrónico que de forma fraudulenta asegura provenir de una organización real y legal.

 Phishing ya conocido en la red, evoluciona con ciertos cambios.Siempre ha estado dirigido a la industria financiera, pero algunas agresiones de Phishing actuales van enfocadas a inicios de sesión o contraseñas. El hacker se hace pasar por una entidad gubernamental y atrae a la víctima para que de datos presonales. El 60% de estos correos se hace pasar por instituciones financieras mientras que el 20% lo hace como una organización del gobierno.

IBM dió a conocer un reporte de riesgos, aportando datos sobre cómo los hackers intentan obtener información para conseguir dinero de forma ilegal. El estudio indica el aumento de estas acciones ilícitas en la segunda mitad de 2.009 y la amenaza que supone para 2010. También han cambiado los países en los que era más frecuente el Phishing, antes eran España, Italia y Corea del Sur, ahora aparecen Brasil, Estados Unidos y Rusia como primeros en la lista.

IBM aporta reportes con conclusiones y datos de sumo interés para la seguridad en la red: han disminuido las vulnerabilidades críticas y elevadas sin parches; los enlaces maliciosos han aumentado considerablemente; los hacker siguen teniendo éxito en hospedar webs maliciosas; los ataques con ofuscación siguen en ascenso. Hay que tomar medidas de precaución en Internet en todos los ámbitos, empresariales y personales.

Imagen sujeta a licencia CC. IBM BB.AA.

¿Su cuenta de #Blogger esta por ser suspendida?

Cuando recibimos en nuestro correo un mensaje cuyo título es Su cuenta de Blogger esta por ser suspendida, aún cuando sepamos que ese no el modo en que Blogger nos comunica algo por muy dramático que sea, uno no puede dejar de sentirse ... bueno,preocupado

si siempre tenemos la precaución de leer el enlace de los mensajes antes de hacer click, cosa que se puede hacer poniendo el puntero del ratón encima y mirando lo que dice el navegador en la barra de estado. En este caso, algo así:

Parece que viene de blogspot pero no; el dominio no es eso que aparece inmediatamente después de http:// o www. sino eso que aparece justo antes del llamado Top Level Domain (org, edu, gov, com, info, net) y en este caso, la extensión es tc pero puede ser cualquier otra porque al parece, lo que sobran son letras y ladrones.

http://blogspot-id3849402.sv.tc/?upgrade=true&id=439288

Bueno, tampoco es necesario ser un genio para ver en el detalle del mail que este fue enviado por algo o alguien llamado pompeya.dattaweb.com que obviamente, no es Blogger ni Google ni nada semejante pero ¿cuántas veces hacemos eso?

Sea como sea, al recibir el mensaje, lo que se debe hacer es denunciarlo, insultar un poco y luego, borrarlo de un plumazo.

Si prosiguieramos con el mail recibido, iríamos a parar a la pagina de captura de datos:

con una copia exacta de la página de inicio de Blogger que en realidad, es un IFRAME de este dominio:

http://conexionesvhs.com/

que es el objetivo del autor del phishing... Mucho cuidado con entrar datos en ninguna parte !!!

Fuente:  http://vagabundia.blogspot.com/2010/04/su-cuenta-de-blogger-esta-por-ser.html

INTELLINX HAS HOW MANY CUSTOMERS? #AntiFraud

Intellinx Ltd., a pioneer of end-user behavior tracking solutions for fraud detection and regulatory compliance, today announces its release of Intellinx zWatch for IBM System z. The new version allows organizations to track all business transactions performed on the mainframe, generate a detailed audit trail and detect suspicious activity in real-time. 

"Intellinx creates a forensic database that can be used for detecting and preventing fraud and data leakage and for managing investigations," says Jim Porell, IBM Distinguished Engineer and Security Architect for IBM System z software. "It has proven to be complimentary with other compliance related tools, such as IBM's Tivoli Compliance Insight Manager, to dramatically reduce the incidents of fraud within a business. The zWatch product, when used with the existing Intellinx offerings provides a cross platform enterprise hub for managing forensics and fraud that can reduce deployment costs while raising the overall value of the offerings." 

Financial, government and healthcare enterprises worldwide utilize Intellinx to hold their end-users accountable for every action performed. The system obtains a detailed forensic audit trail of the activities of all end-user types, including business users and privileged IT users, as well as partners and customers who access the corporate systems through the web or in other ways. All access to corporate data is recorded and is available for playback, including update and read-only transactions. The Intellinx audit trail enables compliance with government regulations, such as FACTA Identity Theft Red-Flags, PCI-DSS, Sarbanes-Oxley, Basel II, GLBA and HIPAA. 

Equifax Inc., a global leader of information solutions (NYSE: EFX) deployed Intellinx last year to help track end-users activity in its core business applications. 

"Information security is a cornerstone of our business and, as a company, we are committed to placing the highest standards on data protection," says Tony Spinelli, Equifax Chief Security and Compliance Officer "Intellinx enables us to enhance our security monitoring capability by providing a reporting platform that allows our fraud investigators to visually replay screen data of both current and historical transactions and receive real-time alerts on suspicious events." 

"IBM mainframe is still the world's most popular platform for running large scale mission-critical applications" says Orna Mintz-Dov, CEO of Intellinx. "We are excited to deliver, with IBM as an Advanced Business Partner, a solution for the growing need for embedded auditing function within the mainframe." 

zWatch expands the Intellinx enterprise level solution for detecting and preventing fraud and information leakage. The new version can be combined with the existing Intellinx non-invasive version which runs on Windows, UNIX or Linux machines and tracks user and business activity on IBM System z mainframes, i5/OS, Web, Client/Server, Databases and other platforms. zWatch runs natively on the mainframe, sniffing all inbound and outbound network transmissions and recording all end-user screens and keystrokes as well as application transactions. It profiles user and account activity and generates alerts on anomalies in real-time. 

zWatch has been tested extensively and has proved to impose almost no impact on workloads since it runs as a Java application on the System z Application Assist Processor (zAAP) processor, a specialty engine designed exclusively to operate asynchronously with general purpose processors minimizing any burden to other mainframe workloads. The Intellinx patent-pending technology captures the activity of all mainframe users 24X7, yet has minor impact on disk space requirements as it stores the recorded data in highly condensed format. zWatch is the only solution on the market today which can monitor encrypted mainframe traffic including VPN encryption. 

zWatch provides a one of a kind visual replay of user activities -- screen-by-screen and keystroke-by-keystroke. The system provides Google-like search of screen content stored by the system, enabling security officers and internal auditors to search, for example for all users who accessed a specific customer account and replay the specific user activity. 

The implementation process is very short (typically just a few hours), as the system does not require any changes to any of the organization's IT infrastructure or application code. 

About Intellinx Ltd.

Intellinx Ltd. is a pioneer in end-user behavior tracking solutions for combating fraud and for regulatory compliance. By providing the tools to detect and prevent fraud attempts and information leakage, Intellinx enables organizations to hold end-users accountable for their actions, while complying with government regulations including FACTA Identity Theft Red-Flags, PCI-DSS, GLBA, HIPAA, Sarbanes-Oxley and Basel II. Intellinx Ltd. products are sold and supported directly by the company, its US-based subsidiary Intellinx Software, Inc., as well as through its worldwide network of distributors and partners in North America, Latin America, Europe, South Africa, and Asia-Pacific. The Intellinx customer base includes large financial, healthcare and government organizations around the world. For more information about Intellinx Ltd., please visit www.intellinx-sw.com .

Author Information

Hagai Schaffer

Intellinx Ltd.

http://www.intellinx-sw.com 

Could A Criminal #Hack Your Car's Computer?

by David Teeghman
Fri May 21, 2010 09:03 AM ET 

Computer criminals used to focus on hacking into desktop and laptop computers. However, their next target may not be in your house, but in your garage: your car.

Researchers at the Center for Automotive Embedded Systems Security have found that the internal computer systems in today’s vehicles are susceptible to hackers’ attacks. Without any special knowledge about the cars, researchers were able to take control of the door locks, disable the brakes and even stop its engine, among other things.

Today’s cars are more dependent than ever on computers to perform basic functions, they do everything from wipe the windshield to maintain tire pressure. Researchers say the typical luxury sedan just rolling off the assembly line has about 100 megabytes of code to control 50 to 70 computers inside the car. Some luxury cars have 100 million lines of software code, compared to only 1.7 million lines on a U.S. Air Force jet fighter.

The good news is that a car’s computers are usually under the dashboard, so a hacker would have to break into the car manually in order to get anywhere near them. (Unless you are Yves Behar, and in that case, you WANT people to hack your car.)

Hackers might not be willing to go to such lengths to take control of a car, but a skilled computer criminal (which may be a better description, since not all hackers are criminals) can still compromise a car’s computer system remotely by sneaking in through the car’s wireless entry points.

Those wireless entry points include satellite radios and automatic crash-response systems, and the number of wireless connections to a car’s computer system are rapidly expanding, with the advent of 4G, dashboard Internet services and vehicle-to-vehicle (V2V) communications. 

Once a hacker is inside the car’s internal network, there are few defenses. Electronic connections between components are linked for safety reasons. For example, car doors pop open when a airbags are activated. But that connection makes it easier for a hacker to make his way from one computer to the next.

Researchers say that as they learn more about the threats, their ability to fight hackers will improve. But for now, your car may be vulnerable crimes mainly associated with the Internet. 

Source: http://news.discovery.com/tech/could-a-criminal-hack-your-cars-computer.html

Olvida las cookies, llegan los ‘Fingerprints’

Los resultados de una reciente investigación ponen de manifiesto que los usuarios son menos anónimos de lo que se cree.

• Publicado por Rosalía Arroyo
 
• el 19 de Mayo de 2010

Incluso sin las cookies, navegadores como Internet Explorer o Firefox, dan a los sites suficiente información como para tener una imagen de sus visitantes el 94% del tiempo. Al menos es lo que se desprende de una investigación realizada hace unos meses por la Electronic Frontier Foundation, o EFF.

La investigación, según esta organización, cuantifica lo que muchos expertos en seguridad saben desde hace años. Peter Eckersley, encargado de la investigación descubrió que la información sobre la configuración del PC del usuario –los datos sobre el tipo de navegador, sistema operativo, plugins e incluso las fuentes instaladas, son recogidos por los sitios web para crear una ficha de la mayoría de sus usuarios, lo que significa que los internautas son menos anónimos de lo que creen. Los expertos aseguran que incluso cuando se desactivan o eliminan las cookies y se utiliza un proxy para esconder la IP, todavía se puede rastrear al usuario.

Realmente los datos no identifican a los internautas, pero crea una ‘fingerprint’, una huella digital, que se puede utilizar para identificar al usuario cuando visita otras páginas web.

Utilizando JavaScript, las páginas web son capaces de investigar los ordenadores y conocer un montón de cosas sobre ellos, y la navegación segura que ofrecen algunos navegadores no es garantía suficiente en la mayoría de los casos. De hecho, existen algunas compañías que han empezado a ofrecer soluciones a estos casos que permiten hacer el mismo seguimiento a los usuarios esquivos. Nombre como 41st Parameter, ThreatMetrix o Iovation son comunes en entornos de banca electronic o e-commerce.

#PCI Compliance Does Not Equal #Security

By Danny Lieberman, Security Expert and Founder of Software Associates 

I recently saw a post from a blog on a corporate web site from a company called Cloud compliance, entitled Is Compliance is the New Security Standard.

Cloud Compliance provides a SaaS-based identity and Access Assessment (IdAA) solution that helps identify and remediate access control and entitlement policy violations. We combine the economies of cloud computing with fundamental performance management principles to provide easy, low cost analysis of access rights toprevent audit findings (sic) and ensure compliance with regulations such as SOX, GLBA, PCI DSS, HIPAA and NERC.

The basic thesis of the blog post was that since companies have to spend money on compliance anyhow, they might as well spend the money once and rename the effort “security”.

This is an interesting notion – although perhaps “placebo security” might be a cheaper approach.

Compliance is not equivalent to security  for several fundamental reasons.

Let’s examine this curious notion, using  PCI DSS 1.2 as a generic example of a regulatory compliance standard that is used to protect payment card numbers:

• Filling out a form or having an auditor check off a list is not logically equivalent to installing and validating security countermeasures. A threat modeling exercise is stronger than filling out a form or auditing controls – it’s significant that threat modeling is not even mentioned by PCI DSS, despite the ROI in think time.
• Although PCI DSS 1.2 is better than previous versions – it still lags the curve of typical data security threats – which means that even if a business implements all the controls – they are probably still vulnerable.
• PCI DSS was designed by the card associations – there is no way that any blanket standard will fit the needs of a particular business – anymore than a size 38 regular suit will fit a 5′ 7″ man who weighs 120 kg and wrestles professionally.
• PCI DSS talks about controls with absolutely no  context of value at risk. A retailer selling diamond rings on-line, may self-comply as a Level 4 merchant but in fact have more value at risk than then the payment processor service provider he uses. (See my previous post on Small merchants at risk from fraudulent transactions )
• PCI DSS strives to ensure continued compliance to their (albeit flawed) standard with quarterly (for Level 1) and yearly (for everyone else) audits.   The only problem with this is that a lot of things can happen in 3 months (and certainly in a year).   The automated scanning that many Level 2-4 merchants do is essentially worthless but more importantly – the threat scenarios shift quickly these days – especially when you take into account employees and contractors who as people are by definition, unpredictable.
• PCI DSS 1.2 mandates security controls for untrusted networks and external attacks.   The phrases “trusted insider” or “business partner” are not mentioned once in the standard. This is absurd, since a significant percentage of the customer data breaches in the past few years involved trusted insiders and business partners. A card processor can be 100 percent compliant but because they have a Mafia sleeper working in IT – they could be regularly leaking credit card numbers. This is not a theoretical threat.
• Finally – PCI DSS is a standard for whom? It’s a standard to help the card associations protect their supply chain.   It is not a policy used by the management of a company in order to improve customer service and grow sales volume.

To summarize:

• PCI DSS is a standard for the card associations not for your business, nor for your customers.
• As a security standard it is better than none at all, but leaves much to be desired because it is not oriented towards the business and consumer protection

Source: http://alturl.com/crs7

Is #Information Protection Even Possible?

December 17, 2009 by  Danny Lieberman, Security Expert and Founder of Software Associates 

A Few Months ago I saw an article inComputerWeekly that asked – Is data loss prevention possible?

“Data is out of control in the corporate world…I think… the only way that we can have influence on the likelihood of (data loss) occurring is through a couple of fundamental controls, namely 1. Reduce and limit access to data 2. Control the “copy-ability” of data…”

I think that a more relevant question is “Is information protection possible?”

The  author correctly identifies that it’s easier to access data (and leak it) than to modify or delete data.  However, the notion that data is out of control in the corporate world is an over-reaction and does a mis-justice to most businesses.

Companies already manage access and control “copy-ability”. This is not new, nor is it effective against the threat of a major data loss event.

Organizations from SME and up to Global 2000 use Microsoft networks based on Active Directory with planned (not always well executed) group policies and permissions management.

Controlling access and copy-ability in the service of business objectives is precisely the objective of these systems.

If you need finer-grained copy protection – there are dozens of endpoint security products – from Checkpoint, Mcafee and Symantec to Controlguard.

If you need finer-grained rights management, there are products like Microsoft DRM and Oracle IRM. Personally, I don’t think that DRM is effective for enterprise information protection.

DRM changes the user experience and depends on user behavior, it can be broken and or bypassed and DRM systems are difficult to deploy on a large scale because of the above constraints.

However – permissions and rights access management and lately, removable device management have not prevented major data loss events like Heartland or Hannaford.

The reason for this is that once rights are granted – the user is trusted and can move the data anywhere he  or she wants.

We need information protection,  not copy protection; and in a way and at a cost that is a good fit for the business.

Information protection is possible by taking a value-based approach that integrates with the business operation.

Analyze your business requirements and threat scenarios – and only then – consider data loss prevention solutions like  enterprise information protection fromVerdasys, agent DLP from Mcafee or a gateway DLP solution from  Fidelis Security.

Source: http://alturl.com/ccah

Taking CreditCard #Security Seriously

by David F. Carr, 05.17.10, 06:00 PM EDT

Small businesses should not expect to fly under the radar forever.

The easiest way for small businesses to address the information security requirements imposed by credit card companies is the wrong way. I'm talking about lying and praying.

In 2004 the major credit card companies got together to define a common Payment Card Industry Data Security Standard (PCI DSS, often referred to as just PCI). They are gradually ratcheting up the pressure on merchants of all sizes to comply. Large companies, and some smaller ones that process a large volume of transactions (particularly if they're doing it on the Web), are required to have an independent review of their processes and systems by a security professional credentialed as a qualified security assessor (QSA). Most small businesses can instead complete a self-assessment questionnaire, where they essentially grade themselves. That's where the lying comes in. It's not so hard to check off all the right answers ("Sure, I review my e-commerce server logs on a daily basis.") without actually making them true.

If you're lying, you had better also be praying. If caught, you could be fined for non-compliance, to the tune of tens or hundreds of thousands of dollars--enough to put many a small organization out of business. Expect even harsher treatment if someone hacks your systems and downloads card data you claimed you weren't even storing.

Most of the requirements are basic security, like making sure there is a firewall between your Internet connection and any system that stores credit card numbers. Factory default passwords on your network equipment must be changed, so that no one can log on as user "admin," password "admin." And so on. More specifically, you're responsible for protecting card holder data, and there's some data you're never supposed to store--like the full contents of a card's magnetic strip.

Many small businesses are still under the impression that the rules don't apply to them because they're too small, or because they don't conduct e-commerce. Actually, the rules apply to any business--and even any nonprofit--that takes credit card payments. You can look for ways to lighten the compliance burden, but you can't get yourself off the hook entirely. Even if no one has yet compelled you to complete a questionnaire or conduct an automated scan of your networks, you're still supposed to be locking down your systems.

Some businesses complain this all sounds too complicated and expensive. But they are missing the point, says Anton Chuvakin, author of PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance. The PCI rules really represent theminimum security standards businesses must meet to be fair to their customers, who, after all, are trusting the merchant every time they hand over a credit card number. In the wake of a card security breach, a larger business might suffer from the fines, damages and adverse publicity resulting from a card security breach. By contrast, "a small business is more likely to be GONE," Chuvakin said. "Businesses that endanger their customers really do deserve to die."

If your organization is not equipped to handle credit card data securely, maybe you should not be handling it at all. Look for ways to shift as much of the burden as possible onto a service provider that specializes in secure payment processing. Services such as PayPal and Authorize.net let you forward customers to their websites for payment processing; credit card numbers never pass through your hands at all.

Small businesses such as restaurants that use an older generation of countertop credit card terminals may be breaking the rules inadvertently because the device stores magnetic stripe data or otherwise violates the PCI requirements. So consider upgrading to a payment device that is certified PCI compliant. Basic terminals capable of encrypting Personal Identification Number (PIN) codes and protecting other sensitive information are available for as little as $100 and might even be offered free by merchant account services trying to win your business. The PCI Security Standards Council publishes a list of approved devices. Just remember that using a compliant device is only one element of making your business compliant.

Even if you're not storing anything explicitly prohibited, you may be storing more credit card data than you need to. Small merchants typically store a day's worth of credit card numbers on a card swipe terminal, then process all the transactions in a batch at the end of the day. Bigger retailers may record the card numbers in a centralized database so they can track all a customer's purchases, and so they can retrieve the number if they need to issue a refund. But do you need to retain those numbers at all?

Perhaps not. Martin McKeay, a QSA and author of the Network Security Blog, recommends looking at new strategies for using end-to-end encryption and "tokenization."

For example, payment processor First Data ( FDC - news -people ) and security software firm RSA Security have developed a product called TransArmor that allows merchants to get authorization for a credit card number and then immediately dispose of the card number, replacing it with a token. The token is another number that acts as a stand-in for the credit card number itself. First Data keeps track of which tokens correspond with which credit card numbers. So if you're executing previously authorized transactions at the end of the day, you send First Data a batch of tokens, and it relays the card numbers on to the bank. But if the tokens are stolen, by themselves they are worthless to anyone else.

"With this, the only time you need the true credit card number is when you do the authorization," says Craig Tieken, First Data vice president of merchant product management. "The merchant, in our opinion, no longer needs the card number." TransArmor is still in beta testing, scheduled for release in the summer of 2010.

David F. Carr is Forbes' columnist on technology for small to midsize businesses. Contact him at david@carrcommunications.com.

Source: http://alturl.com/wipe