Archive for March 2011

Lax Overseas Data Breach Laws Attract Enterprises

About 70% of organizations that store sensitive data abroad choose to do so in countries with lenient breach notification requirements!

Many companies that look to process and store sensitive data — including intellectual property — abroad as a cost-cutting measure are seeking countries with minimal data breach notification requirements, according to a survey of 1,000 senior IT decision makers by market research firm Vanson Bourne. The survey was sponsored by Intel’s McAfee and Science Applications International Corporation (SAIC).

The economic downturn has been driving companies to process and store more types of sensitive information abroad, according to the survey. Today, about 50% of organizations said they would do this as a cost-cutting measure. Meanwhile, about 33% of organizations said they want to store more sensitive information outside their home borders, which is an increase from 20% in 2008.

Interestingly, about 80% of organizations said that their choice of data storage locale is influenced in part by a country’s data breach laws. About 70% of organizations that do store information abroad select countries with more lenient notification rules.

Geographically speaking, which countries are the safest for storing data? “While attacks are hard to trace back to a specific country, China, Russia, Pakistan are perceived to be the least safe for data storage,” according to a related report from McAfee and SAIC. Those rankings remain unchanged from 2008, as do the countries perceived to be the safest places for storing data: the United Kingdom, Germany, and the United States.

from Information Week:

Cyber attack targeted Paris G20 meeting atendees

The Group of Twenty (G-20) Finance Ministers and Central Bank Governors was established in 1999 to bring together systemically important industrialized and developing economies to discuss key issues in the global economy. Not everyone agrees with the work they are doing.

The French finance ministry has confirmed it came under a cyber attack in December that targeted files on the G20 summit held in Paris in February.

More than 150 of the ministry’s 170,000 computers were affected.

“We noted that a certain amount of the information was redirected to Chinese sites,” an anonymous official was quoted by the French magazine. “But that [in itself] does not say very much.”

From the BBC:

A Declaration of Cyber-War

Last summer, the world’s top software-security experts were panicked by the discovery of a drone-like computer virus, radically different from and far more sophisticated than any they’d seen. The race was on to figure out its payload, its purpose, and who was behind it. As the world now knows, the Stuxnet worm appears to have attacked Iran’s nuclear program. And, as Michael Joseph Gross reports, while its source remains something of a mystery, Stuxnet is the new face of 21st-century warfare: invisible, anonymous, and devastating.

ll over Europe, smartphones rang in the middle of the night. Rolling over in bed, blinking open their eyes, civilians reached for the little devices and, in the moment of answering, were effectively drafted as soldiers. They shook themselves awake as they listened to hushed descriptions of a looming threat. Over the next few days and nights, in mid-July of last year, the ranks of these sudden draftees grew, as software analysts and experts in industrial-control systems gathered in makeshift war rooms in assorted NATO countries. Government officials at the highest levels monitored their work. They faced a crisis which did not yet have a name, but which seemed, at first, to have the potential to bring industrial society to a halt.

A self-replicating computer virus, called a worm, was making its way through thousands of computers around the world, searching for small gray plastic boxes called programmable-logic controllers—tiny computers about the size of a pack of crayons, which regulate the machinery in factories, power plants, and construction and engineering projects. These controllers, or P.L.C.’s, perform the critical scut work of modern life. They open and shut valves in water pipes, speed and slow the spinning of uranium centrifuges, mete out the dollop of cream in each Oreo cookie, and time the change of traffic lights from red to green.

Although controllers are ubiquitous, knowledge of them is so rare that many top government officials did not even know they existed until that week in July. Several major Western powers initially feared the worm might represent a generalized attack on all controllers. If the factories shut down, if the power plants went dark, how long could social order be maintained? Who would write a program that could potentially do such things? And why?

As long as the lights were still on, though, the geek squads stayed focused on trying to figure out exactly what this worm intended to do. They were joined by a small citizen militia of amateur and professional analysts scattered across several continents, after private mailing lists for experts on malicious software posted copies of the worm’s voluminous, intricate code on the Web. In terms of functionality, this was the largest piece of malicious software that most researchers had ever seen, and orders of magnitude more complex in structure. (Malware’s previous heavyweight champion, the Conficker worm, was only one-twentieth the size of this new threat.) During the next few months, a handful of determined people finally managed to decrypt almost all of the program, which a Microsoft researcher named “Stuxnet.” On first glimpsing what they found there, they were scared as hell.

More from Vanity Fair magazine:

DHS Report: Digital Immigration Records Vulnerable to ‘Insider Threat’

The Department of Homeland Security’s U.S. Citizen and Immigration Services has made progress securing its cyber networks from potential insider threats.

However, gaps in security still remain, including one that could allow malicious insiders to tamper with digital immigration records.

A far-reaching security audit of USCIS, undertaken by the Software Engineering Institute at Carnegie Mellon University singled out the Transformation program at Immigration and Customs Enforcement as one of the most vulnerable.

The findings revealed the department had not taken enough steps to secure the digitized immigration paperwork, which– if tampered with –could grant access to terrorists or other malcontents, Federal News Radio reported.

The multimillion-dollar Transformation program, designed to digitize immigration records, has been plagued by work delays that have caused it to run 10 years behind schedule, InformationWeek reported.

Despite the over-runs, DHS appears to be leaning heavily on the program “to correct many of the problems resulting from legacy systems,” according to InformationWeek.

But, the recent IG report may put a new wrinkle in the program.

Specifically, the report found while the Transformation program encompassed risk management, it had failed to adequately account for the risk from the insider threat.

“USCIS should incorporate comprehensive insider threat risk mitigation requirements into the Transformation effort,” the report found.

Insider threat risk mitigation in the federal government received a jolt of attention following the revelations that a so-called insider — an allegedly disgruntled Army private — was reported to have leaked classified materials to whistle-blower site WikiLeaks.