Customer data 'needs protection'

Companies and public bodies are not doing enough to protect customers' data, the UK's privacy watchdog and a major survey of security have said.

The Information Commissioner said that the 94 security breaches reported to him last year was an "alarming" number.

The survey of more than 1,000 firms suggested that almost 90% of them let staff leave offices with potentially confidential data stored on USB sticks.

Firms and public bodies were urged to make data protection a priority.

Information Commissioner Richard Thomas said of the 94 data breaches, two thirds were committed by government or other public sector bodies.

Data had been recovered in only three of the 94 cases, he said.

Stolen computers

The material included personal details of UK citizens, including health records.

"The evidence shows that more must be done to eradicate inexcusable security breaches," he said.

Mr Thomas' findings and the separate Information Security Breaches Survey will be detailed at the InfoSec show in London, the world's largest event of its kind.

The survey was carried out by Price Waterhouse Coopers on behalf of the Department for Business Enterprise and Regulatory Reform.

According to the survey, almost 80% of firms that had reported a stolen computer had not encrypted data on the hard drive.

Chris Potter, from PricewaterhouseCoopers, which compiled the survey, told BBC News that overall attitudes to security had improved in the last 12 months.

System failures

"Companies have focused on the areas which have caused them most damage in the past, such as viruses and system failures.

"These tend to have caused the greatest cost in terms of business interruption."

But he said the "biggest concern is around the protection of customer data, which companies clearly want to be good at.

"Sometimes that's not translating into real action."

He said particular threats were around the lack of encryption of data on laptops, the use of USB memory sticks and newer technologies like Voice over Internet Protocol.

"In all these areas the controls are not as strong as they are over traditional threats," he said.

Mr Potter's comments were echoed by those of the Information Commissioner.

Mr Thomas said: "The government, banks and other organisations need to regain the public's trust by being far more careful with people's personal information.

"Once again I urge business and public sector leaders to make data protection a priority in their organisation."

Of the total reported to the commissioner, 62 security breaches were in the public sector, 28 were in the private sector and four in the charity or third sector.

Of those reported by public sector bodies, almost a third happened in central government and associated agencies, and a fifth in the NHS.

According to the PricewaterhouseCoopers report, fewer companies today are encrypting data on laptops than two years ago, despite a recent spate of high-profile instances of laptop losses with unencrypted information.

Mr Potter said: "We have seen in successive surveys that companies tend to be very good with preventing yesterday's problems. Companies need to say on their toes to make sure they are addressing tomorrow's problems."

Risen dramatically

The report found that the number of attempts to hack into company networks had risen dramatically over the last two years.

"What is a really big concern is the proportion of large businesses that say hackers have got into their networks," said Mr Potter.

Two years ago one percent of large businesses reported a hacker penetration compared to 13% in the current report.

The survey also said that figure was likely to be under-reported because many large firms did not admit to successful hacks on their networks.

Security breaches cost UK business roughly several billions pounds a year, said the report.

Beijing Olympic Games and Cyber Security

Beijing Olympic Games and Cyber Security In order to meet the city’s demand for information security during the Olympic Games, the first municipal Information Security Emergency Response and Disposal Centre was set up in Beijing on April 1; and it will operate 24 hour a day. The Information Security Emergency Response and Disposal Centre has set up

Dot Asia Domain Names Sex all the Way

Dot Asia Domain Names Sex all the Way The ‘Landrush’ period for .asia domain names has just closed. Almost 300 domain names beginning with ’sex’ received more than one request for registration and will be auctioned to the highest bidder. And 14 organisations claimed prior right to use sex.asia. Of the names receiving multiple requests,

INDONESIAN SENTENCED TO 10 MONTHS IN PRISON FOR HACKING INTO HOTEL

A Lomita resident who admitted hacking into business kiosks at hotels and stealing credit card information that he used to obtain credit was sentenced this afternoon to 10 months in federal prison. Hario Tandiw idjojo, 28, an illegal alien from the Indonesia, was sentenced by United States District Judge Gary A. Feess, who also ordered the defendant to pay $34,266 in restitution.
In December, Tandiwidjojo pleaded guilty to one count of unauthorized access to a protected computer to conduct fraud. In a plea agreement, Tandiw idjojo admitted that he hacked into approximately 60 computers inside business kiosks operated by Showcase Business Centers, Inc. Tandiw idjojo bypassed four password checks that Showcase Business Centers had in place on their computers, using passwords he obtained while employed by a company that serviced the business kiosks.
After hacking into the computers, Tandiw idjojo installed malicious software that allowed him to intercept data, such as credit card information from customers who used the business kiosks. The malicious software transferred the stolen customer data to a website Tandiwidjojo controlled. Tandiwidjojo then used this information to fraudulently make charges to the stolen credit card accounts. The $34,266 in losses resulted from only three days of computer intrusions in February 2007.
When FBI agents searched Tandiwidjojo' s residence in August, they discovered a credit card writer that is used to put information on magnetic strips on credit cards, a credit card terminal used to process credit card transactions, multiple bank and gift cards, and a California driver' s license with Tandiwidjojo' s picture but another individual' s name.This case was the result of an investigation by the Federal Bureau of Investigation.

Cyber crime stays one step ahead

What started as the preserve of geeky hackers has become a multibillion-pound, international criminal industry, reports Sarah Arnott
Saturday, 22 March 2008

Computer crime is not only exploding in volume but is mutating faster than it can be contained, a new report to be published next week will warn.
Some 2.5 million new types of malicious programme have been launched in the past two months alone – more than the previous 15 years put together, according to the latest data from the security firm Trend Micro. The UK now has around 1.25 million “infected” computers. And the average number of PCs across the world sending out spam emails every month shot up to 10 million last year, more than double the 4.2 million in 2006, which was double the 2.1 million in 2005.
What began as the preserve of geeky hackers showing off to their peers has become a multi-billion-pound, international criminal, industry including unsolicited email “phishing” campaigns to con people out of financial details and passwords, and complex extortion rackets.
In the age-old cat and mouse of the good guys against the bad, each side inspires the other to ever greater levels of sophistication. And as viruses evolve, taking root on everything from digital cameras to USB memory sticks, simply securing a corporate infrastructure may no longer be enough.
A key tool for the cyber-criminal is the botnet – an array of computers that are recruited by a virus and can then be controlled from one place, often without their owner’s knowledge. Botnets can include tens of thousands of individual PCs, and have all manner of nefarious uses, including mass spamming, propagating yet more viruses, and crashing target websites by bombarding them with visitors.
The latest versions may even have automatic-recovery and self-healing features that parallel the most advanced corporate networks. And botnets are now rented out – for around $1,000 (£504) for 10,000 computers.
“These criminals are clever, and there’s lots of money to be made, so they are motivated to create more and more sophisticated infrastructures,” Dave Rand, the chief technology officer at Trend Micro, said. “Part of the problem is that they no longer set out to take down the computer, but continue operating it without anyone’s knowledge.”
The current estimate is that there are 175 million infected computers live on the internet today. And cyber crime is worth billions of dollars. But incidences are so diverse, and the techniques are evolving so quickly, that it is almost impossible to gauge the true scale of the problem.
In value terms, the biggest scam at the moment is “click fraud”, where scurrilous websites that are being paid by advertisers on a per-click basis use botnets to bombard the site with apparent interest. Second is good, old-fashioned, fraud – using credit-card details, online accounts or electronic transfers – based on information stolen either from individuals’ computers or from insecure company databases. Third is extortion – often against gambling sites in the run-up to major sporting events – where botnets are used to prove the site can be knocked down unless payment is received.
The criminals’ techniques are continually developing. This month, for example, saw the first botnet involving both humans and machines. To circumvent security measures in signing up free email accounts, a criminal group set up a high-tech sweat shop in India to process the part of the application that cannot be done automatically.
And hardware is starting to become infected in the manufacturing process, before it has even left the factory. Though the numbers are small so far, there have been recorded problems with Apple iPods, TomTom satnavs and, most recently, digital picture frames. “Anything which has storage capacity and can be plugged into a computer could now be carrying a virus,” Graham Cluley, the senior technology consultant at Sophos, said.
How to enforce the law in the new Wild West
*The problem with cyber crime is that it is ahead of the game. It is ill-defined, international and difficult to trace. And it is often not even clear which laws are being broken.
However, it is possible to have an impact. International comparisons show that developed economies – with stricter copyright laws, higher awareness levels and more modern technology – have lower virus levels. Turkey, for example, has 2.5 million infected computers, double the number in the UK and five times that of the Netherlands.
But even in countries with a sense of the problem, there are no easy answers as to who takes responsibility for what.
Some point the finger at the internet service providers (ISPs). “If the top 10 ISPs in the world spam league did anything, we would all be getting two orders of magnitude less,” Dave Rand, chief technology officer at Trend Micro, said.
But the internet industry says legitimate providers already have complex and effective anti-spam measures.
“For any measures to be truly effective, every network operator in the world has to do likewise because there is no discrimination in terms of where an infected computer is,” a spokesman for BT said. “And consumers also have a role to play in ensuring they protect their system appropriately.”
Any success in tackling the problem will rely on a co-ordinated approach – including the internet industry, the Government, and end users. It will also mean finding ways to frame laws that are sufficiently loose to keep up with technological change, but sufficiently strict to be enforceable.
“Online crime is on the rise, and there is a growing awareness that it can only be addressed collectively,” Jeremy Beale, head of ebusiness at the CBI, said.
Critics say the Government needs to put its money where its mouth is.
Lord Broers – who chairs the House of Lords committee that branded the internet as the new Wild West – says online law enforcement should be a priority.
“The Government should do a better job in gathering data on internet crime and fraud,” Lord Broers said. “And we have to shift resources into this sort of policing.”

RETIREMENT AGE OF JUDGES

A proposal to increase the retirement age of the Judges of the Supreme Court and the High Courts by three years is under examination of the Government. As regards increase in the retirement age of District/Subordinate Court Judges, it is the concern of the respective State Governments. This information was given by Minister of Law and Justice, Shri H. R. Bhardwaj in written reply to a question in Rajya Sabha.