Study: More Data Accidents Happen 'Unofficially' at Home
Plus, "human error" strikes again; company offers to patent security fixes; more.
A security services vendor has conducted a study comparing official "teleworkers"
to unofficial teleworkers, and suggested that unofficial home workers are putting
data at more risk
Considering that the study has a margin of error of 6.1 percent and that all
of the numbers presented are within that margin of error, it's unreasonable
to state that unofficial teleworkers are riskier than official teleworkers.
The study also makes no attempt to explain why differences might exist. Most
unofficial teleworkers take corporate laptops home, not just data, to bypass
the need to have copies of corporate software on their home systems.
The study also made no comments about the sensitivity of the data taken by
unofficial teleworkers, something we should be more concerned about. If someone
is unofficially taking sensitive corporate information home, that would be more
important to us than knowing whether they had up-to-date anti-virus.
Bank Plays 'Human Error' Card
The Bank of Scotland put 62,000 mortgage customers' information on a disk and
then sent it, unencrypted, via regular post. The bank claims this
was the result of human error and not the standard procedure. It also said
that not only should the data have been encrypted, but it should also have been
sent via secure courier. The bank does not believe the disk was stolen.
You have to love it when something like this happens and the entity responsible
claims it was not "standard operating procedure." In fact, the two
critical errors in the bank's actions suggest something more systemic than simple
Consider that if the content was unencrypted, there's no record of it being
transferred to the disk. Next, sending it via standard post means there's no
record of it actually being given to the post, or that it was addressed correctly.
In other words, there's no way to verify what data was on the disk or that it
wasn't sent to a criminal's address intentionally.
But hey, if you think you can get away with the "it was human error"
line, good luck.
Patents for Fixes?
Intellectual Weapons says it has streamlined
the patent process: It will help vulnerability discoverers who've also come
up with a fix to the vulnerability they've found get a patent on the fix. This
patent would then be licensed to vulnerable vendors. Intellectual Weapons thinks
this is better than paying for vulnerability information or, worse, giving the
information away for free.
Have you ever felt that your hands were dirty simply because you heard someone
else's idea? Imagine a world where we had to license fixes for every vulnerability
found, each by someone different. And just how long would you have to license
the fix for, anyway? Would it be considered an antitrust violation if Microsoft
refused to license a fix, and simply patched the software itself in a way that
didn't infringe on the patent?
Worse, what if there was no way to fix the software without infringing on the
alleged patent? Can you imagine a judge prohibiting Microsoft from releasing
a security fix because it would infringe on a patent owned by some individual
Alas, there's no doubt this company will find someone to use as a guinea pig
(although it hasn't so far, thank goodness).
Security and Public Web Servers
the second draft (PDF) of the National Institute of Standards and Technology's
guidelines for planning, deploying, administering and maintaining a public-facing
Web server. Very comprehensive.
This column was originally
published in our weekly Security Watch newsletter. To
subscribe, click here.
All the News That's Fit To Disrupt the Oil Market
Tulsa, Okla.'s KOTV, a CBS affiliate, released a story on its Web site stating
that a lightning strike at a local refinery resulted in a fire. The story was
quickly picked up by oil traders who, worried about production cancellations,
U.S. crude oil prices to rise 40 cents. However, not long afterward, the
refinery itself put out a story stating that no such fire existed.
While some speculate that the U.S. economy could be hampered by DoS attacks
such as those done against Estonian sites, the real potential for economic harm
via the Internet lies in these types of problems. False stories on legitimate
sites -- whether they're posted in ignorance or with malicious intent -- are
trusted by a far greater swath of the economy than many realize. And with RSS
feeds popping stories up on trader boards, it won't take much before something
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.