Security Watch

Lights Out for Financial Times Web Site

Plus, personal data leaks onto LimeWire; texting and privacy.

A break-in at an apparently "lights out" Cable & Wireless hosting facility near London left the Financial Times unable to add content to its site. Sainsbury's, one of the largest grocery chains in England offering online grocery shopping, was also affected as criminals stole not only servers, but routers and wiring.

Criminals are willing to go after manned as well as unmanned facilities, which is why it's important to distribute your site across more than one facility.

LimeWire Shares Personal Data Too
Wagner Resource Group, a Virginia investment firm with customers including the Supreme Court Justice Breyer, has had to notify about 2,000 customers that some personally identifiable data was leaked onto the LimeWire network. The information's existence on LimeWire was discovered by an individual not related to the investment firm.

If you need an example to convince management to place stronger restrictions on employee use of corporate assets for non-business tasks, this is a good one. It's also serves as a good reason to closely monitor outbound traffic details.

Using file-sharing networks on corporate systems can open up every directory on the drive to those networks. If the user is not savvy enough to understand the implications of doing so, all sorts of corporate information could be disseminated. Consider what would happen if advance earnings information was leaked from a publicly traded company.

Monitoring outbound traffic details for things like excessive outbound traffic (or even spikes from systems which typically have low volume outbound traffic) not only can identify users participating in such networks, but also systems infected with malware or those participating in spamming.

Texting at Work Protected and Private
A ruling by the U.S. Ninth Circuit Court of Appeals has given privacy advocates hope that the historic strong position of employers when it comes to the communications of their employees on corporate-owned systems may be wavering. The court ruled that The City of Ontario had no right to review the contents of text messages sent by a police officer via a city-supplied pager.

A deeper analysis suggests that the ruling may not be as important as it first seems. The City of Ontario wanted to determine if pagers were being used for personal reasons. They conducted an audit of text messaging in a way that was more intrusive than it needed to, reviewing the contents of the messages instead of simply the To and From header information. The header information could have told them whether personal messages were being sent. Further, their contract with their service provider and the usage policy the officer signed with the city both could have contained wording giving the city adequate rights to access the contents of messages, should they actually have wanted that information.

Finally, the city had tacitly approved the excessive use of pagers, presumably for personal reasons, by charging officers who had overused their pages for that excess. In doing so, they essentially condoned the practice.

In the end, the important aspect is the distinction between third-party services versus in-house equipment. Third-party service providers can only produce the contents of messages, including e-mails, to the sender or the recipient unless explicit permission is granted in the contract with the corporation.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq,, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular