Privacy and technology

From the introduction:

“Cyber security is increasingly regarded as a horizontal and strategic national issue affecting all levels of society. A national cyber security strategy (NCSS) is a tool to improve the security and resilience of national infrastructures and services. It is a high-level, top-down approach to cyber security that establishes a range of national objectives and priorities that should be achieved in a specific timeframe. As such it provides a strategic framework for a nation’s approach to cyber security. To assist the EU Member States in the important task of developing and maintaining a successful national cyber security strategy, ENISA is developing a Good Practice Guide. The guide will present good practices and recommendations on how to develop, implement and maintain a cyber security strategy. This paper presents some of the preliminary findings from the project that is developing the guide. It includes a short analysis of the current status of cyber security strategies within the European Union (EU) and elsewhere; it identifies common themes and differences, and concludes with a series of observations and recommendations.”

Uit de introductie op de pagina:

“In deze realtime Phishing Scorecard wordt de huidige situatie van de beveiliging van e-mailstromen van banken met elkaar vergeleken. Als een bank één van deze technische bouwstenen doorvoeren in hun e-mailbeveiliging zal het rode kruis een groen vinkje worden. Zodra een bank haar beveiliging op orde heeft zullen er alleen maar groene vinkjes staan en beschermen ze 40% van hun klanten.”

(Source: frankwatching.com)

From the page:

“SSL Pulse is a continuous and global dashboard for monitoring the quality of SSL support across the top one million web sites. SSL Pulse is powered by the assessment technology of SSL Labs, which is focused on auditing the SSL ecosystem, raising awareness, and providing tools and documentation to web site owners so they can improve their SSL implementations.”

(Source: networkworld.com)

From the executive summary:

“Symantec blocked more than 5.5 billion malicious attacks in 2011; an increase of more than 81% from the previous year. This increase was in large part a result of a surge in polymorphic malware attacks, particularly from those found in Web attack kits and socially engineered attacks using email-borne malware. Targeted attacks exploiting zero-day vulnerabilities were potentially the most insidious of these attacks. With a targeted attack, it is almost impossible to know when you are being targeted, as by their very nature they are designed to slip under the radar and evade detection. Unlike these chronic problems, targeted attacks, politically-motivated hacktivist attacks, data breaches and attacks on Certificate Authorities made the headlines in 2011.”

(Source: security.nl)

From the introduction:

“This report contains the results of the study of the state of the Russian cybercrime market in 2011. It examines the main risks associated with various types of hacker activities, analyzes the main trends in the development of the Russian cybercrime market, estimates the shares and the financial performance of the Russian segment of the global cybercrime market, and forecasts market trends for this year.”

(Source: security.nl)

From ‘NCC findings’:

“Negligible personal data was found on the memory sticks and mobile telephones. In the case of hard drives: 38% of the devices had been wiped of data; 14% were damaged/ unreadable; 37% contained nonpersonal data; 11% contained personal data.”

(Source: security.nl)

From 1. Overview:

“Cyber-criminals are increasingly using automation to carry out their attacks on web applications. This phenomenon has several reasons:

• Automatic tools enable an attacker to attack more applications and exploit more vulnerabilities than any manual method possibly could.
• The automatic tools that are available online save the attacker the trouble of studying attack methods and coming up with exploits to applications’ vulnerabilities. An attacker can just pick a set of automatic attack tools from the ones that are freely available online, install them, point them at lucrative targets, and reap the results.
• These tools use resources (like compromised servers that are employed as attack platforms) more efficiently.
• Automatic tools open new avenues for evading security defenses. For example, such a tool can periodically change the HTTP User Agent header that is usually sent in each request to an application and that may be used to identify and block malicious clients. As another example, sophisticated automatic tools can split the attack between several controlled hosts, thus evading being blacklisted.”

(Source: security.nl)

From the report:

“‘Mobile technology’ is just what the name implies — portable technology that isn’t limited to mobile phones. This also includes devices like laptops, tablets, and global positioning system (GPS) devices. As with any other kind of technology though, there are drawbacks to ‘going mobile.’ Mobile devices can expose users’ and organizations’ valuable data to unauthorized people if necessary precautions are not taken. […] Trend Micro identified approximately 5,000 new malicious Android apps just this quarter.”

(Source: automatiseringgids.nl)

Abstract:

“Federal Reserve Regulation E guarantees that US consumers are made whole when their bank passwords are stolen. The implications lead us to several interesting conclusions. First, emptying accounts is extremely hard: transferring money in a way that is irreversible can generally only be done in a way that cannot later be repudiated. Since password-enabled transfers can always be repudiated this explains the importance of mules, who accept bad transfers and initiate good ones. This suggests that it is the mule accounts rather than those of victims that are pillaged. We argue that passwords are not the bottle-neck, and are but one, and by no means the most important, ingredient in the cybercrime value chain. We show that, in spite of appearances, password-stealing is a bad business proposition.”

(Source: security.nl)

Inhoudsindicatie:

“De verdachte heeft zich samen met een ander schuldig gemaakt aan het maken en verspreiden van een virus en een trojan, welke (onder andere) de functie hadden om inloggegevens en wachtwoorden af te vangen, op te slaan en naar een voor de verdachte en zijn medeverdachte toegankelijke bestandslocatie te verzenden. Van die gegevens kon misbruik worden gemaakt en dat is ook gebeurd. Aldus heeft de verdachte opzettelijk een stoornis in de besmette computers veroorzaakt, zodat er gemeen gevaar voor een ongestoorde dienstverlening te duchten is geweest. De verdachte heeft welbewust misbruik gemaakt van zijn kennis van informatie- en communicatietechnologie. Het Hof veroordeelt de verdachte tot een gevangenisstraf voor de duur van 730 (zevenhonderddertig) dagen. Tevens wordt bepaald dat een gedeelte van de gevangenisstraf, groot 405 (vierhonderdvijf) dagen, niet ten uitvoer zal worden gelegd, tenzij de rechter later anders mocht gelasten omdat de verdachte zich voor het einde van een proeftijd van 2 (twee) jaren aan een strafbaar feit heeft schuldig gemaakt.”

(Source: itenrecht.nl)

From the executive summary:

“Negligent insiders and malicious attacks are the main causes of data breach. Thirtynine percent of organizations say that negligence was the root cause of the data breaches. For the first time, malicious or criminal attacks account for more than a third of the total breaches reported in this study. Since 2007, they also have been the most costly breaches. Accordingly, organizations need to focus on processes, policies and technologies that address threats from the malicious insider or hacker.”

(Source: insideprivacy.com)

Uit het nieuwsbericht:

“De fraude in het betalingsverkeer is vorig jaar gestegen tot 92 miljoen euro. Desondanks is het betalingsverkeer in Nederland in het licht van de omzetten die hierin worden bereikt uiterst veilig. Dat blijkt uit cijfers die de Nederlandse Verenging van Banken vandaag heeft gepresenteerd. De fraude vond vooral plaats bij het internetbankieren en door skimming van betaalpassen. De internetfraude steeg van bijna tien miljoen euro in 2010 naar 35 miljoen euro vorig jaar. De fraude door skimming (het kopiëren) van betaalpassen steeg van 19,7 miljoen euro in 2010 naar 38,9 miljoen euro vorig jaar.”

(Source: security.nl)

From the foreword:

“To understand the levels of information risk within European mid-market businesses and their capability to mitigate against this, Iron Mountain commissioned PwC to study 600 mid-sized businesses across Europe. The results reveal a deeply concerning picture of complacency, ignorance and lack of management that should sound an alarm bell across the European community.”

(Source: webwereld.nl)

From the executive summary:

“This unrest that so typified 2011 was not, however, constrained to the physical world. The online world was rife with the clashing of ideals, taking the form of activism, protests, retaliation, and pranks. While these activities encompassed more than data breaches (e.g., DDoS attacks), the theft of corporate and personal information was certainly a core tactic. This re-imagined and re-invigorated specter of ‘hacktivism’ rose to haunt organizations around the world. Many, troubled by the shadowy nature of its origins and proclivity to embarrass victims, found this trend more frightening than other threats, whether real or imagined. Doubly concerning for many organizations and executives was that target selection by these groups didn’t follow the logical lines of who has money and/or valuable information. Enemies are even scarier when you can’t predict their behavior. It wasn’t all protest and lulz, however. Mainline cybercriminals continued to automate and streamline their method du jour of high-volume, low-risk attacks against weaker targets. Much less frequent, but arguably more damaging, were continued attacks targeting trade secrets, classified information, and other intellectual property. We certainly encountered many faces, varied tactics, and diverse motives in the past year, and in many ways, the 2012 Data Breach Investigations Report (DBIR) is a recounting of the many facets of corporate data theft.”

(Source: Wired)

From the executive summary:

“The Symantec Smartphone Honey Stick Project is an experiment involving 50 “lost” smartphones. Before the smartphones were intentionally lost, a collection of simulated corporate and personal data was placed on them, along with the capability to remotely monitor what happened to them once they were found. Chief among the findings is that there is a very high likelihood attempts to access both sensitive personal- and business-related information will be made if a lost and unprotected smartphone is found by a stranger. Secondarily, the owner of a lost smartphone should not assume the finder of their device will attempt to make contact with them. Even when contact is made, the owner of the device should not assume their personal- or business-related information has not been violated.”

(Source: security.nl)