The media frequently speaks about the underground economy and quote price ranges for various private goods available for sale. I recently read the trends were bearish, but let there be no misunderstanding about that, if the quality is here, the price will still be high. It is just like the price of food, you have the hard-discount and the luxury stores!!

With this post, I wish to be more precise regarding the data regarding the prices of some cybercriminal groups around the globe.

Last Friday morning in France, my investigations lead me to visit a site proposing top-quality data for a higher price than usual. But when we look at this data we understand that as everywhere, you have to pay for quality. The first offer concerned bank logons. As you can see in the following screenshot, pricing depends on available balance, bank organization and country. Additional information such as PIN and Transfer Passphrase are also given when necessary:

For such prices, the seller offers some guaranties. For example, the purchase is covered by replacement, if you are unable - within the 24 hours - to log into the account using the provided details.

The selling site also proposes US, Austria and Spanish credit cards with full information:

• ccnumber
• cvv2
• exp.date
• name
• adress
• city
• state/province
• zip/postal
• phone-number
• SSN(US Only)
• DL#
• MMN

It is also possible to purchase skimmers (for ATM machine) and “dump tracks” to create fake credit cards. Here too, cost is in touch with the quality:

Depending on the price, you can choose your bank among various lists; more than 900 choices for North America or European countries:

Many other offers are available like shop administrative area accesses (back end of an online store where all the customer details are stored – from Name, SSN, DOB, Address, Phone number to CC) or UK or Swiss Passport information:

And to convince prospective clients, the site offers some free data to demonstrate their know-how. I partially anonymized some of this data so I could provide an example. If you recognize yourself, do not hesitate to contact the police force so that they may institute legal proceedings.

We have been in contact with one of the German’s Crime Investigating Authorities (LKA). This is a case when a malicious program running on mobile phones was making unauthorised calls. All these calls were connecting to one and the same SMS number which is used to top-up the amount of virtual money for one of the online games. A scheme to top-up in-game cash via SMS messages is frequently used by online game vendors.

This is a really interesting twist because in the past malware writers simply programmed malware (either on a desktop or on a mobile device) to call a premium phone number (one where the cost of a call is high). Of course, with this old method it is easier to trace the destination of funds because for each such call real money is transferred from a phone company to the owner of the premium number. So the principle “follow the money” to track the perpetrators usually works.

This new and indirect way of laundering money through an online game makes it significantly more difficult to track the destination - several in-game assets’ transfers can be made before the money is taken out of the game through real-money trading (RMT - it is a bannable offence in most online games but some games allow that - for example, Second Life).

Our advice is not to use programs for mobile phones that come from untrusted sources (like game forums, Internet newsgroups, Emails, P2P networks, blogs, etc.)

Avertlabs would kindly ask all mobile phone users to be vigilant and submit suspicious programs for our analysis - the easiest way is to use our online Webimmune service www.webimmune.net.

A recent report by the OECD (Organisation for Economic Co-operation and Development) indicated that counterfeit and pirated goods in 2005 could have had a value of up to 200 billion U.S. dollars.

One path to fake goods is via spam, which frequently offers counterfeit medicines and replica watches. A recent post from the French CERT-LEXSI blog caught my attention regarding fake luxury mobile phones selling for absolutely unbeatable prices.

These phones are normally manufactured by Vertu, a British subsidiary of Nokia, and are sold in luxury shops in Monte Carlo, Cannes, or Beverly Hills. On their official top-quality site (www.vertu.com), prices are not mentioned, but by visiting some authorised retailer Web sites I found exorbitant figures. Some mobiles, bedecked in gold and diamonds, exceed $90,000. Really too expensive for me!

Using Google, it’s really easy to find fake sites offering these counterfeit marvels. In fact it is easier to find the fake sites than the authorized ones!

And the prices–assuming you need one of these–are attractive: less than $1,000 for a copy of an original that sells for $97,300.

Regular spam campaigns promote such Vertu “replica” sites. Be vigilant, however, because appearances can be deceiving. Sites are numerous and their common feature is their high-quality, professional look–with black backgrounds that imitate the official site.

These sites are hosted at various providers in various countries (USA, Germany, and Hong Kong). Some of them seem clean; others are known for bulletproof hosting services and their relationship with the Russian Business Network, an alleged cybercrime organization. The registrars are also diverse (Estonia, Russia, and Korea) but more questionable. It is surprising that these do not require any name verification before accepting registrations. But once you know that a lot of spam and malware-related Web sites come from them, their permissiveness is easier to understand. Registrant addresses and e-mails give us an inkling regarding the nationality of their owners: China and Russia.

For the potential buyer, the key issue concerns the risk. The Swiss Watch Industry clearly points out that the buyer is the first victim, because purchasing counterfeits is:

• Agreeing that piracy is OK; the counterfeiter seeks to appropriate somebody else’s hard work and investment.
• Supporting and financing organized crime; links between counterfeiting activities and criminal networks have been established in many cases.
• Accepting underground and child labor.
• Endangering your own health and safety; the risk is real with medicines, aircraft and auto spare parts, medical supplies, and cosmetics.
• Reducing employment and stifling growth; this form of criminality contributes to the reduction of employment, which is estimated to cost more than 200,000 jobs worldwide per year.
• Being liable to criminal sanctions; the buyer may face criminal and financial sanctions. The mere possession of counterfeits is illegal in many countries. Furthermore, penalties could be claimed by legitimate intellectual property rights’ owners. Customs also can seize and destroy illegal items and assess fines.

And if these considerations don’t stop you, remember you run the risk of not receiving the goods you pay for; instead you might have your banking details stolen and reused in future malevolent activities. None of the sites I visited yesterday offered a secure Internet payment system; one of them housed a hidden Iframe linked to a known password-stealing Trojan.

There’s been considerable stink lately about the Race to Zero contest that is to be held at Defcon. I, for one, am a bit perplexed by this. This article from ZDNet Australia is what finally made my eyes cross in confusion/aggravation.

I don’t know at what point the collective “wisdom” became that signature-based AV was ever intended to be about defending against every threat ever devised, before it was ever devised. Signature-based scanners are intended to detect and clean known threats. If you modify a known threat, it’s not really “known” anymore, is it? Now it’s a variant of a known threat.

It’s certainly desirable to have protection against all threats, known and not-yet-known. This is what things like firewalls, Intrusion Prevention Systems, Data Leakage Prevention and all those other wonderful security products are intended to do, in concert with AV. Most AV software now also includes proactive static detection like Generic and Heuristic detection, along with more dynamic detection like emulation or behavioral detection. Many AV programs now also include broader security functionality like a firewall or IPS.

Generic and Heuristic detection is certainly better at picking up unknown threats than simple signature-based scanning, but there are three things that limit it. For one, it’s still reactive, basing detection on known bad techniques. Secondly, it’s static - obfuscation can still muck up the detection, if it causes the file to deviate from the known bad technique. Finally, there’s still a need for these detections not to be false-prone. Heuristics and generics essentially cover known “really, really bad” techniques. The threshold of badness must be quite high to make it into AV products. Consider how many commercial products and widely used administration tools blur those lines, and you may come to appreciate what a very fine line it is.

It’s not clear from what I’ve seen whether the contest’s judges intend to use the most paranoid settings available within the various products, but their description does seem to indicate they’ll only use the static detection, rather than running it real-time through the products. This does not accomplish a full testing of the products capability, it only tests one component. The results they get will not be what an average user will get.

The contest organizers and participants are playing with fire in order to prove what we already know: Signature-based scanners are meant to protect against known threats. That doesn’t mean that AV is dead, or that it’s useless. The industry is evolving, and its products with it. AV is intended to be one tool in a complete security arsenal. Defense in depth is where it’s at, if you’re really looking to protect your network.

There have been a couple of threads lately, one on LifeHacker, one on Ask Metafilter, about whether it’s necessary to use anti-virus software. The comments in both are a very clear indication on how far we have to go in educating users on the real danger of malware. It would appear the average user is operating under assumptions that might have been true 8 years ago. Now, it’s just a recipe for disaster.

The erroneous assumptions are that:

1) Viruses are noisy/easily visible and
2) Viruses are caused by actively bad behavior

To quote What the Geek from the LifeHacker thread,

I have a business client whose website was giving people a trojan for a while because it got hacked - and guess what? if you didn’t have an AV running, you’d never know that it happened. It would just sit on your computer sending your data off to who knows where silently. Just because it doesn’t give you a big skull and crossbones on the screen doesn’t mean it isn’t there.

This really sums up the situation for me - an innocent user was hacked, and might never have known it, as it was silent. It’s like the difference between the demos we give of an “average scary virus” now versus the ones we gave 10 years ago. Back then, the demos were all skulls and message-boxes and file corruption and deletion. Very spooky, very visual and very loud. Now the scary demos are effectively silent. The malware can come in without any user interaction, and you’d never know it was there without specific tools to show you what changes it’s making behind-the-scenes. Off goes your credit card number and your private documents, without you being the wiser.

And this is not something that just happens in the “bad parts” of the internet. Think of the most innocuous content on the internet. Pictures of cute and fluffy animals would certainly qualify, right? At the end of last year, CuteOverload fell victim to a hacking that delivered trojans to its unsuspecting readers. And major sites are supposed to be safe, right? How about the Superbowl website hack from the beginning of last year?

One point that I think needs bringing up specifically is the question of whether to use “on-access” scanning, or if “on-demand” is enough. As Dwroth succinctly put it in the LifeHacker thread:

All time (active protection) = good for the public, but overkill for the geek.

Turning off on-access scanning has never been a great idea, but now it could be a catastrophically bad idea. We’ve already discussed how one’s level of geekiness does not figure into one’s susceptibility to viruses which don’t require human interaction. Personally, if there’s a virus trying to get onto my computer, I’d really rather find out immediately before any changes could be made to my system rather than some time tomorrow or later this week.

A few minutes is plenty of time for malware to transmit my most sensitive data, why give it hours?

Clear protocols such as FTP or SMTP are unsafe. Anyone on the subnet can easily collect login usernames and passwords just by sniffing the network traffic. Even switched networks can be easily attacked to redirect traffic and gather credentials as simply as on a HUB based network. However, FTP is still widely used and often the only protocol provided by hosting providers and it’s for this reason we weren’t so surprised to come across PWS-FerTP – a piece of malware that takes advantage of this situation, collecting FTP credentials and infecting FTP repositories.

To slow down analysis, PWS-FerTP includes some (very simple) anti-debugging tricks and VMWare detection functionality shown below. Not very stealthy though, utilizing some well known VMWare internal mechanisms used mainly by VMware tools to communicate with the host system.

PWS-FerTP bypasses the Windows Firewall (by modifying the registry) and starts to look for three widely used client applications providing FTP support (FAR Manager, CuteFTP and Total Commander). Indeed, these applications unfortunately use weak encryption to save FTP passwords, while other details such as logins and IP addresses are stored in the clear.

In an attempt to gather more FTP credentials, PWS-FerTP switches the first network adapter found on the system to promiscuous mode via the ioctlsocket API call, allowing for a disabling of MAC filtering and thus sniffing all FTP account details passing by the current subnet.

PWS-FerTP sends all gathered credentials within specially crafted HTTP requests to a remote web server.

But PWS-FerTP is more than a password stealer – a quick string search reveals some interesting blocks of obfuscated Javascript as well:

Once decoded, the aim of this script becomes much clearer, redirecting user’s browser via an IFRAME HTML tag pointing to a malicious website.

In fact, PWS-FerTP connects to each previously gathered FTP account and looks for files whose names belong to this list:
- index.htm
- main.htm
- default.htm
- index.php
- main.php
- default.php

When such a file is found, PWS-FerTP retrieves it locally, injects the Javascript code shown above, and put the file back to the FTP repository.

Another good reason to follow well-known best practices: avoid using clear-text protocols and use applications providing strong encryption, like keepass, to store your credentials.

A recent article in The Register seems to imply that if you’ve got out-of-date security software, any fraudulent charges to your accounts could suddenly be your liability. The advice given by the British Bankers’ Association includes much more than just the state of one’s security software; this could just as easily include misaddressing a check or falling victim to a phishing attack, among other things. On the other hand, it’s highly unlikely it would ever be worth the bank’s effort to invoke this clause.

From the Banking Code of the British Bankers’ Association

12.11 If you act fraudulently, you will be responsible for all losses on your account. If you act without reasonable care, and this causes losses, you may be responsible for them. (This may apply, for example, if you do not follow Section 12.5 or 12.9 or you do not keep to your account’s terms and conditions.)

These two sections offer quite a few bullet points about how not to be a victim of identity theft or financial fraud.

12.5
• Do not keep your checkbook and cards together.
• Do not let anyone else use your card, and do not tell anyone else your PIN, password, or other security information.
• Your bank or building society will never ask you for your PIN. If you are in any doubt about whether a caller is genuine or if you are suspicious, take the caller’s details and call us.
• If you change your PIN, you should choose your new PIN carefully.
• Try to remember your PIN, password, and other security information, and securely destroy the notice as soon as you receive it.
• Never write down or record your PIN, password, or other security information.
• Always take reasonable steps to keep your card safe and your PIN, password, and other security information secret at all times.
• If your card issuer takes part in a secure online payment system (such as Verified by Visa or MasterCard SecureCode), consider signing up either at their Web site or whenever you are given the option while shopping online. This involves your registering a password with your card company; you will be asked for the password whenever you shop at an online retailer taking part in the scheme. You should keep this password secret.
• Never give your account details or other security information to anyone unless you know who they are and why they need them.
• Keep your card receipts and other information about your account containing personal details (for example, statements) safe and get rid of them carefully.
• Take care when storing or getting rid of information about your accounts. People who commit fraud use many methods, such as “bin raiding” (a.k.a., dumpster diving) to get this type of information. You should take simple steps such as shredding printed material.
• Be aware that your mail is valuable information in the wrong hands. If you don’t receive a bank statement, card statement, or any other expected financial information, contact us.
• You will find the APACS Web site a helpful guide on what to do if you suspect card fraud.

12.9
• Keep your PC secure. Use up-to-date anti-virus and spyware software and a personal firewall.
• Keep your passwords and PINs secret.
• We (or the police) will never contact you to ask you for your online banking or payment card PINs, or your password information.
• Treat e-mails you receive from senders claiming to be from your bank or building society with caution and be wary of e-mails or calls asking you for any personal security details.
• Always access Internet banking sites by typing the bank or building society’s address into your Web browser. Never go to an Internet banking site from a link in an e-mail and then enter personal details.
• Follow our advice: Our Web sites are usually a good place to get help and guidance on how to stay safe online.
• Visit www.banksafeonline.org.uk for useful information.

But wait, there’s a caveat: They won’t invoke this willy-nilly:

12.12 Unless we can show that you have acted fraudulently or without reasonable care, your liability for your card being misused will be limited as follows.

This code would be far too difficult and costly to implement in most cases. It would have to be a particularly large sum of money involved in the fraud, enough that it might be deemed worth the cost of an investigation, alienating a customer, and courting a heap of bad PR.

Although this is all good advice from the BBA, it looks like the assertion that people will suddenly be financially liable for having out-of-date security software is just a case of spreading FUD.

Today, Avert Labs announced the availability of its podcast on the “Top Ten Security Trends in 2007”.

As part of this podcast, McAfee will identify those threats it believes businesses and consumers will face in 2007 as computer criminals become more organized and professional in their approach.

Download the podcast

The online gaming industry has matured into a serious business with revenues running into the billions of dollars. As we know, once something gains popularity on the Internet and is profitable, it becomes an attractive target for hackers.

In the early days, game crackers spent quality time breaking cd protection or gaining secret codes to unlock hidden weapons and levels. With the advent of both Online Games and Massively-Multiplayer Online Role Playing Games (MMORPG), official gaming networks now require legitimate cd keys and/or registered accounts to logon and play online. Virus authors responded by unleashing a rash of trojan horse programs masquerading as game cheats or trainers in order to steal cd keys of Online Games. To get a victim to run these trojans, these files were posted on bulletin board systems, internet relay chat channels or on popular gaming site forums. But the intended victim still had to download and execute the trojan for the ploy to work.

So the obvious question was “How to make a self spreading game cd key stealer?” Sdbots and Gaobot with multiplying capabilities via exploits and weak passwords were readily available at that time. It wasn’t long before a module was written and introduced in the bot code to steal game cd keys of popular online games from Electronic Arts, id Software, Red Storm and Valve. Fortuneately most of the bots in the wild these days have dropped this functionality as the popularity of some online games has waned recently.

Massively-Multiplayer Online Role Playing Games like Lineage, World of Warcraft and the Final Fantasy series rule the gaming world today with an insane number of hardcore
gamers competing against each other in the virtual world. Everyday, McAfee Avert Labs receive numerous malware samples designed to steal game account information targeting popular game titles. And in a shift away from trojan horse programs masquerading as game cheats, we are seeing a trend where virus authors are writing old school viruses like W32/Bacalid, W32/Detnat and W32/Philis that target popular role playing games.

Are these guys doing it for the love of the game? Nope.. sounds too good to be true. Underground RMT (Real-Money trading) groups thrive in dealing with stolen game accounts and operate mostly out of Asia. And with a player’s stolen account information, their virtual assets can be transferred to another players account or simply auctioned off and sold for real money. This phenomenon is currently region specific but could easily reach menacing proportions similar to the threats plaguing online internet banking.

There's been a few articles today about a method to hack ATMs which have not had their default administrative passwords changed. This shouldn't be entirely surprising for a number of reasons. We already know some ATMs are also vulnerable to viruses and voting machines can be hacked, etc. Good security practices are good security practices regardless of the specific operating system being used. The hacking incidents mentioned above, in particular, are caused by the same basic conditions that have led to the prevalence of things like bots and password-stealers. In the case of the voting machines and password-stealers, important data kept unencrypted is easy to steal or manipulate. In the case of ATMs and bots, using easy-to-guess passwords makes it very easy to add or subtract things from your machine.

People seem to get lulled into complacency because their particular machine or operating system isn't in common usage, regardless of whether the OS is on a laptop/desktop machine or on another sort of device. Security through obscurity will only get you so far, especially when your device has something of monetary value on (or in) it.

McAfee Avert Labs has been getting a lot of questions about the dangers of data-retention on cell phones. There’s an article covering the concept here.

Here’s our take on the situation: modern cell phones (”smartphones”) are miniature, portable computers-and they will bring along all the same problems with them as the technology matures: Virus, spam, phishing (or smishing), and people stealing data from lost, stolen, recycled, or resold devices.

“But I deleted those messages?!?! How can someone get it back?!?”
I think this is best explained by an analogy: think of your device (phone, computer, etc) data as being a textbook: Table of Contents in the front, informational pages towards the back. You write a document and you add pages to the book. The computer, when asked for a document, will look in the table of contents to figure out what page to read.

Makes sense so far, but when you remove a file, the computer doesn’t erase the pages in back-it removes the entry from the table of contents, so that it no longer knows or cares where the information is. “Why?!?” you may ask . . . well, in a nut-shell computers are lazy (i.e., efficient) and this is the fastest way to “remove” the file from the system. Heck, those pages may be overwritten some day . . . .

But, this introduces a problem: someone could manually search for the pages (skim the book, if you will) and then find and reconstruct the documents (until the page is recycled at least).

This is the problem that many people who have sold their cell phones are finding, those who have purchased them have (or are at least are able to) retrieve their deleted files-files that contain personal messages, email, address books, and worse.

If you are going to dispose of your phone, please contact the manufacturer or your carrier and ask them how to do a “low level” or “zero level” wipe. This is analogous to going through the book with an eraser and scrubbing out each and every letter so that the pages are blank. This makes is quite difficult for the data to ever be retrieved.

This is, of course, exactly what you should do with your computer’s hard drive if you dispose of it.

I can’t say it enough: your smartphone is a computer; you need to treat it as such and exercise the same level of caution you would give to your traditional PC.

In the last year phishing emails have increased by aproximately 25%. Fraudsters are still targeting the high profile Banks, Financial Institutions and e-commerce sites that they have been targeting in the past, but in many cases they are changing the content of the phishing mails from the "change your password now" type phishing scams that have been prevalent in the past, to more varied and directed messages.

In addition to attacking these well known companies, fraudsters are increasingly targeting smaller European and American financial institutions, and the targets are changing almost daily.

The old rules still apply to these new types of phish; always visit your Banks website by typing the name directly into your browser, or from a bookmark in your browser, rather than following a link in an email.

The e-commerce phish has also become more directed; much of the phish targeting popular online auction sites appears to have been sent from another user rather than from the auction site. For example, many of the phish are fake messages claiming that you bought an item and have not paid, or the other user has raised a dispute against you, or is enquiring about an item for sale. In all these cases if you think that the message may be genuine then if you log directly into the auction site (do not click on the links in the email) you can see if anyone has tried to contact you.

Even though the content of the phishing messages has become more varied, the social engineering techniques used are still the same, and can be avoided by visiting the financial site directly rather than clicking a link in an email.

Gone are the days when dumpster diving or going through waste printer paper in the trash was used to gain sensitive information about an organization. The paper shredder was a cheap and cost effective solution to the problem of dumpster diving. Although the occasional confidential printout still pops up here and there due to a failed print job, but for that we can blame it on the faulty ink cartridge!

Today's printer are state of the art multi-function devices that also serve as fax machines, photocopiers or even mini file servers. They come with their own stripped down operating systems usually Linux/NetBSD and support most network protocols namely IP, IPX and AppleTalk. However, few organization take measures to secure their printing devices. Both physically and on the network.

Most printer can be reset to their factory default by certain key combinations or via a hard reboot, depending on the vendor and model. Usually the default username and passwords to configure the printer via the web administration or SNMP interface is freely available on the internet. Once reset and logged in, an attacker could re-configure the printer to dump every job sent to the print spool to disk.

More recently at the just concluded Black Hat conference, a security researcher demonstrated how to run unauthorized software on the printer, compromise network traffic, and access sensitive information being printed, by taking advantage of a configuration error in the printer's web interface.With the kind of sensitive information being sent to the printers, it does becomes a soft target for an attacker to eavesdrop on sensitive company data.

To date, software and firmware upgrades for printer were unheard off unless something went really wrong with the printer. The wake up call has now been sounded for IT managers to revisit printers and secure them physically and via software security measures.

On Wednesday, the CLUSIF, Club for the Security of Information in France presented its study "Policies of Computer Security & Losses in 2005=E2=80=B3. The study concludes that French companies are increasingly setting up policies and procedures to protect their information system, however, they fall short on approving the budgets necessary to support them.

In a 58 pages document (in French), the association synthesizes testimonies of representative of 400 companies with more than 200 employees from all business sectors. Results show that in 2005 56% of French companies have a defined policy for information system security compared against only 41% two years ago when the previous study was conducted.

CLUSIF notes that only 38% of the companies envisage increasing budgetary resources to the security of information system, 46% announce that they will keep it constant, 4% will reduce it and that 12% have not made a decision.  The study notes that upper management seems difficult to convince. They are not yet completely reassured by the correct use of the budgets that they have already accepted and approved for their company's security.

In addition, the study demonstrates a "strong will of control" on behalf of the people in charge of the information system security (RSSI). Most prefer to block the use of new technologies rather than to seek a solution for its secure deployment. Thus 76% of them prohibit webmail access, 73% refuse VoIP use, 56% prohibit Wi-Fi and 43% prohibit PDA and smartphones.

Regarding recorded losses, only 36% spoke about viruses and 2% about intrusions on the system. The major part, 56%, comes from design errors or software deployment, 47% are loss of essential services like electricity and telecommunications, 46% are errors of use.

Losses due to fortuitous causes remain most numerous. However malevolence and negligence are nevertheless present. At first, they appear weak numerically, but when we look at them cumulatively and then extrapolate on French companies as a whole, the number of announced incidents seems significant:

• Design errors in software deployment : 58%
• Loss of essential services : 47%
• Errors of use : 46%
• Theft : 44%
• Internal breakdowns : 37%
• Virus infections : 36%
• Natural disasters : 8%
• Physical accident : 6%
• Data disclosure : 4%
• Targeted attacks : 4%
• Malicious acts : 3%
• Sabotage : 3%
• Intrusion : 2%
• Fraud : 2%

Yea!  And maybe, hopefully, none of the identity information was compromised.  (See story.)  What can we learn from this?

First, CA 1386 provides exclusion for data that is encrypted.  That should seem outright obvious to everyone.  ENCRYPT IT!

There is a question whether the employee had permission to have the data at home.  Make sure you have policy to certify this condition.  For instance, if I have permission to work at home, and I have permission to access the data, without further conditions, this presumes I have permission to have the data at home.  If this is not what you want, make sure everyone knows the situation and the permissions required.

There is the question whether the identity information was compromised.  How can we help to determine such a scenario if it happens to us?  First, make sure that the access to the major database produces an *encrypted* data subset.  (Log the access and review the log often.)  This would promote the consideration that such data on the recipient machine should remain encrypted.  Plus, knowing he has a protected copy, any unencrypted version can be erased when not actively being used.  So, the lifespan of unencrypted copies is shorter.  Second, this forces the user/worker to decrypt the information at the time he needs to work with it, causing a new file to be created with the then-current time/date stamp.  This would help forensics. 

This is not a complete solution, because create/delete/create/delete fills up the hard disk with "unused" sectors that would contain the sensitive information.  But that would happen without this process.  So, at least adopt a process that is useful.  And be reminded that the disk needs to be wiped often.

When's the best time to learn and think about all this?  When someone *else* makes the mistake, of course.  Unless your purpose is to get funding.  But do you want to have to spend that much money and face all that bad publicity?

The 2006 Global Security Survey was just released by the Financial Services Industry, conducted by Deloitte Touche Tohmatsu (DTT). This survey of the world's 100 biggest financial services organizations announced a surge in digital attacks over the past year.

The world's largest financial institutions experienced a surge in the number of digital attacks over the past year, specifically from external sources. More than three-quarters (78%, up from 26% in 2005) of respondents confirmed a security breach from outside the organization and almost half (49%, up from 35% in 2005) experienced at least one internal breach. Among the key points of this survey: sophistication of attacks and proliferation of vulnerabilities dominate attention. When asked to rate the intensity of perceived threats over the next twelve months, 53% of respondents chose phishing and pharming while 51% chose viruses, spyware, Trojans and worms. While internal threats continue to rise over previous years organizations appear to be more concerned with threats from the outside, since, in their minds, they bring a higher degree of publicity and potential damage to their reputations. The study suggests that financially motivated, targeted attacks are increasing and the criminal profile is shifting - from script kiddies and disorganized hackers to well funded organized crime rings, whose around-the-clock, across-the-globe attacks are yielding a big financial payback. This trend clearly highlights that random acts of vandalism (such as the web page defacements experienced by 4% of respondents) have been replaced by purposeful, targeted acts of criminal activity (such as the successful phishing attacks experienced by 51% of respondents).
In the survey, identity theft is called the "Crime of the 21st Century". Along with account fraud, they are two priorities that Financial Institutions will likely be focusing on this year.

To end this note, I am surprised by the classification for external breaches experienced by the companies and quoted in page 26 :

• Viruses/worms : 63%
• Phishing/pharming : 51%
• Spyware/malware : 48%

A bit of clarification may be needed for the Deloitte malware definition in order to understand why viruses, worms (page 26 and 27) and Trojan horses (page 29) are not classified in this category. By their definition, malware are only considered as malicious program "deployed to extort some form of monetary gain" as explained in this press release document.

This interesting survey is available at :
http://www.deloitte.com/dtt/research/0,1015,sid=1000&cid=121102,00.html

In May 2006, millions of U.S. military veterans were worried about risks for identity theft after their electronic records were stolen from the home of an agency employee. Data was saved on a laptop and the laptop was stolen. It contained names, Social Security numbers and birthdays of some 26.8 million veterans.

Speaking about this incident, the Gartner analyst Avivah Litan explained in a research note that data protection is cheaper than a data breach.

"A company with at least 10,000 accounts to protect can spend, in the first year, as little as $6 per customer account for just data encryption, or as much as $16 per customer account for data encryption, host-based intrusion prevention and strong security audits combined," Ms. Litan said. "This compares with an expenditure of at least $90 per customer account when data is compromised or exposed during a breach."