Security Watch

Study: More Data Accidents Happen 'Unofficially' at Home

Plus, "human error" strikes again; company offers to patent security fixes; more.

• By Russ Cooper
• 07/23/2007

Considering that the study has a margin of error of 6.1 percent and that all of the numbers presented are within that margin of error, it's unreasonable to state that unofficial teleworkers are riskier than official teleworkers. The study also makes no attempt to explain why differences might exist. Most unofficial teleworkers take corporate laptops home, not just data, to bypass the need to have copies of corporate software on their home systems.

The study also made no comments about the sensitivity of the data taken by unofficial teleworkers, something we should be more concerned about. If someone is unofficially taking sensitive corporate information home, that would be more important to us than knowing whether they had up-to-date anti-virus.

Bank Plays 'Human Error' Card
The Bank of Scotland put 62,000 mortgage customers' information on a disk and then sent it, unencrypted, via regular post. The bank claims this was the result of human error and not the standard procedure. It also said that not only should the data have been encrypted, but it should also have been sent via secure courier. The bank does not believe the disk was stolen.

You have to love it when something like this happens and the entity responsible claims it was not "standard operating procedure." In fact, the two critical errors in the bank's actions suggest something more systemic than simple human error.

Consider that if the content was unencrypted, there's no record of it being transferred to the disk. Next, sending it via standard post means there's no record of it actually being given to the post, or that it was addressed correctly. In other words, there's no way to verify what data was on the disk or that it wasn't sent to a criminal's address intentionally.

But hey, if you think you can get away with the "it was human error" line, good luck.

Patents for Fixes?
Intellectual Weapons says it has streamlined the patent process: It will help vulnerability discoverers who've also come up with a fix to the vulnerability they've found get a patent on the fix. This patent would then be licensed to vulnerable vendors. Intellectual Weapons thinks this is better than paying for vulnerability information or, worse, giving the information away for free.

Have you ever felt that your hands were dirty simply because you heard someone else's idea? Imagine a world where we had to license fixes for every vulnerability found, each by someone different. And just how long would you have to license the fix for, anyway? Would it be considered an antitrust violation if Microsoft refused to license a fix, and simply patched the software itself in a way that didn't infringe on the patent?

Worse, what if there was no way to fix the software without infringing on the alleged patent? Can you imagine a judge prohibiting Microsoft from releasing a security fix because it would infringe on a patent owned by some individual somewhere?

Alas, there's no doubt this company will find someone to use as a guinea pig (although it hasn't so far, thank goodness).

Security and Public Web Servers
Here's the second draft (PDF) of the National Institute of Standards and Technology's guidelines for planning, deploying, administering and maintaining a public-facing Web server. Very comprehensive.

All the News That's Fit To Disrupt the Oil Market
Tulsa, Okla.'s KOTV, a CBS affiliate, released a story on its Web site stating that a lightning strike at a local refinery resulted in a fire. The story was quickly picked up by oil traders who, worried about production cancellations, promptly caused U.S. crude oil prices to rise 40 cents. However, not long afterward, the refinery itself put out a story stating that no such fire existed.

While some speculate that the U.S. economy could be hampered by DoS attacks such as those done against Estonian sites, the real potential for economic harm via the Internet lies in these types of problems. False stories on legitimate sites -- whether they're posted in ignorance or with malicious intent -- are trusted by a far greater swath of the economy than many realize. And with RSS feeds popping stories up on trader boards, it won't take much before something major happens.