Lights Out for Financial Times Web Site
Plus, personal data leaks onto LimeWire; texting and privacy.
A break-in at an apparently "lights out" Cable & Wireless
hosting facility near London left the Financial Times unable to add content
to its site. Sainsbury's, one of the largest grocery chains in England
offering online grocery shopping, was also affected as criminals stole
not only servers, but routers and wiring.
Criminals are willing to go after manned as well as unmanned facilities,
which is why it's important to distribute your site across more than one
LimeWire Shares Personal Data Too
Wagner Resource Group, a Virginia investment firm with customers including
the Supreme Court Justice Breyer, has had to notify about 2,000 customers
that some personally identifiable data was leaked onto the LimeWire network.
The information's existence on LimeWire was discovered by an individual
not related to the investment firm.
If you need an example to convince management to place stronger restrictions
on employee use of corporate assets for non-business tasks, this is a
good one. It's also serves as a good reason to closely monitor outbound
Using file-sharing networks on corporate systems can open up every directory
on the drive to those networks. If the user is not savvy enough to understand
the implications of doing so, all sorts of corporate information could
be disseminated. Consider what would happen if advance earnings information
was leaked from a publicly traded company.
Monitoring outbound traffic details for things like excessive outbound
traffic (or even spikes from systems which typically have low volume outbound
traffic) not only can identify users participating in such networks, but
also systems infected with malware or those participating in spamming.
Texting at Work Protected and Private
A ruling by the U.S. Ninth Circuit Court of Appeals has given privacy
advocates hope that the historic strong position of employers when it
comes to the communications of their employees on corporate-owned systems
may be wavering. The court ruled that The City of Ontario had no right
to review the contents of text messages sent by a police officer via a
city-supplied pager. http://www.technewsworld.com/rsstory/63492.html
A deeper analysis suggests that the ruling may not be as important as
it first seems. The City of Ontario wanted to determine if pagers were
being used for personal reasons. They conducted an audit of text messaging
in a way that was more intrusive than it needed to, reviewing the contents
of the messages instead of simply the To and From header information.
The header information could have told them whether personal messages
were being sent. Further, their contract with their service provider and
the usage policy the officer signed with the city both could have contained
wording giving the city adequate rights to access the contents of messages,
should they actually have wanted that information.
Finally, the city had tacitly approved the excessive use of pagers, presumably
for personal reasons, by charging officers who had overused their pages
for that excess. In doing so, they essentially condoned the practice.
In the end, the important aspect is the distinction between third-party
services versus in-house equipment. Third-party service providers can
only produce the contents of messages, including e-mails, to the sender
or the recipient unless explicit permission is granted in the contract
with the corporation.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.