[SecurityRatty] tag: employees

Shell fingers IT contractor in theft of employee data

Mon, 06 Oct 2008 00:00:00 +0000

Shell Oil has notified its U.S. employees that an IT contractor used the personal data of four Shell workers to file fake unemployment claims in Texas.

Shell blames IT contractor for benefits fraud

Sun, 05 Oct 2008 20:00:00 +0000

Shell Oil is warning employees that a contractor used their personal information to run an unemployment-insurance-claim scam in Texas.

Top 10 ways collaboration, mobility amplify data leakage dangers: Cisco study

Mon, 29 Sep 2008 20:00:00 +0000

Numerous behavioral risks taken by employees in increasingly distributed and remote locations can lead to the loss of corporate information, according to a study commissioned by Cisco.

Five mistakes security pros would make again

Sun, 28 Sep 2008 20:00:00 +0000

Ten years ago, Michael Riva was network administrator for a top-five American consultancy. Employees were downloading graphic pictures and videos onto the network. Riva told his boss a proxy server with content filtering might be in order; his boss laughed and suggested they put in a bigger file server instead.

CEO is Bludgeoned to Death in India.

Thu, 25 Sep 2008 11:44:00 +0000

American CEOs shouldn't be too troubled by the heat they are taking for their "Golden Parachute" bonuses which are worth tens of millions of dollars. If they were in India, they might just get beaten to death.

The CEO of an Italian auto parts subsidarary based in Greater Noida, was beaten to death by an angry mob of 200 workers who had been locked out of the factory. They stormed the offices and killed the CEO with a hammer and injured 50 other Executives and workers.

Eye witness reports claim that Police took over an hour to respond and when they did they only sent a couple of officers who were vastly outnumbered. Today on CNN, it was reported that Police charged 63 employees with the murder.

Have CrackBerry, Will Travel

Thu, 25 Sep 2008 04:45:34 +0000

Blogger: Dan Blum

It is no surprise for us to hear loose lips flapping in India about a capability to decrypt Blackberry and other carrier traffic.

After all, we’ve done basic threat analysis for years and it was only months ago that I was brought into a company-wide CISO meeting at a U.S. defense contractor to help them hash out their travel policy for mobile devices. Going into the meeting, I knew their policy restricted taking devices to a list of countries considered dangerous – but there was an exemption for BlackBerries.

Our research uncovered that BlackBerry is pretty secure in most respects. It has transport encryption along with optional password protection, remote kill, disk encryption, and S/MIME encryption. Viruses have not flourished on this functionally limited and closed platform. Few if any third party add on programs are required for additional protection. Nonetheless, I went into the meeting prepared to talk with the CISOs about the risks and security limitations of life on BlackBerry.

Was the BlackBerry exemption reasonable? At the time, BlackBerry transport encryption was not known to have been broken (to be fair, the article listed above still qualifies as rumor, not certainty of breakage). However, I pointed out that it is dangerous to assume well-equipped attackers like military or intelligence organizations can’t crack transport encryption. And even if they haven’t cracked the BlackBerry network and whole disk encryption features, sophisticated adversaries have other attack paths. Check out Neal Stephenson’s excellent book Cryptonomicon for a description of how a talented adversary might “see” your keystrokes and screen images through a motel room wall, for example.

If one of your employees – such as a key scientist, project manager, or executive – is targeted for surveillance and is carrying sensitive data through certain countries, one could argue that he or she had better undergo serious counter-intelligence training. Learn to spot and shake tails, sneak into dark alleys for that BlackBerry fix. Learn to paper the closet with layers of aluminum foil and send messages in the dark. Defend that BlackBerry with encryption, long passphrases, and kung fu. But unless James Bond is running your company, I doubt this is what your executives have in mind for the next business trip!

Assuming your organization’s lower level employees are like needles in a haystack and won’t be bothered could be an exercise in wishful thinking. It is always possible that nation states are monitoring some or all of the airwaves. Not so long ago the NSA had a massive a covert surveillance program in place. Years before the government was reportedly snarfing up terabytes of emails and crunching them through a program called Carnivore. And of course, selective monitoring of people on watch lists continues on a large scale. This is just the surveillance we know about in the U.S. We suspect there’s more behind the scenes and especially in countries such as China. Even if you train your non-specifically-targeted low level employees to write and speak in search-keyword-free code, the carnivore programs of the world are pretty good at sniffing out those interesting needles – such as descriptions of your business plans, manufacturing processes, and trade secrets.

Sound paranoid? I admit that I don’t know what the probabilities of being targeted or monitored are – just that it can happen. It’s the height of arrogance to believe that a nation state can’t get your information if they’ve targeted it and you’re within their borders. And it’s dangerous to rely on security by obscurity when medium or high consequence information must be protected.

What can be done? If key personnel can't dispense with the BlackBerry (or any other email device) during international travel to those countries where information may be most at risk, they (the users) should limit communications to what they’d feel comfortable uttering over a potentially-monitored telephone call. Controlling incoming communications – messages sent by others – is a harder problem. Until data loss prevention (DLP) products become more contextually sensitive about the travel issues, it may be best not to synchronize the BlackBerry with the overseas user’s home mailbox. Instead, have the user give out a temporary address for the BlackBerry and warn senders to be discreet.

BetOnSports.com Gambling Site Worker Pleads Guilty After Stealing Gamblers Personal Info

Tue, 23 Sep 2008 07:48:46 +0000

An employee of the offshore Internet gambling website BetOnSports.com has pleaded guilty to charges stemming from his role in a large Internet-based identity theft ring. BetOnSports PLC does not exist since July 2006 and the Antigua Financial Services Regulatory Commission is assisting/supervising its settlements with creditors, customers and employees. The ex-CEO David Carruthers was arrested [...]

Bank Employees become Phish Bait?

Sun, 21 Sep 2008 20:00:00 +0000

What a week it was in the financial markets! With Lehman Brothers filing for bankruptcy, and Barclays subsequently buying up some of the assets; with Merrill Lynch finding a safe harbour at Bank Of America; and then, closer to home (for me at least) the merger of two of the biggest UK retail banks, HBOS and LloydsTSB.

During this coming period, it is a reasonably safe bet that we may be in for a flurry of phishing attacks targeting the customers of these institutions using ruses like share “windfalls” and the like to tempt individuals into disclosing their credentials. However, in this blog, that’s not what I want to talk about. The implications for the employees of these organisations are, of course, also huge, and the degree of uncertainty and change that will ensue for a period of time will provide ample opportunity for the criminal fraternity to exploit....

TSA Employees Bypassing Airport Screening

Fri, 19 Sep 2008 04:01:03 +0000

Airport screeners are now able to bypass airport screening :

The Transportation Security Administration (TSA) rolled out the new uniforms and new screening policy at airports nationwide on Sept. 11.
The new policy says screeners can arrive for work and walk behind security lines without any of their belongings examined or X-rayed.

"Lunch or a bomb, you can walk right through with it," said Mike Boyd, an aviation consultant in Evergreen. "This is a major security issue."

Actually, it's not. Screeners have to go in and out of security all the time as they work. Yes, they can smuggle things in and out of the airport. But you have to remember that the airport screeners are trusted insiders for the system: there are a zillion ways they could break airport security.

On the other hand, it's probably a smart idea to screen screeners when they walk through airport security when they aren't working at that checkpoint at that time. The reason is the same reason you should screen everyone , including pilots who can crash their plane: you're not screening screeners (or pilots), you're screening people wearing screener (or pilot) uniforms and carrying screener (or pilot) IDs. You can either train your screeners to recognize authentic uniforms and IDs, or you can just screen everybody. The latter is just easier.

But this isn't a big deal.

HP layoffs, Wall Street blues, Palin's hack

Thu, 18 Sep 2008 20:00:00 +0000

The week got off to a rough start with the collapse of Lehman Brothers sending shudders through global financial markets and raising questions about whether there will be a ripple effect on the IT industry. After the market closed Monday, Hewlett-Packard added to the dismal mood by announcing it will lay off 24,600 employees as it integrates Electronic Data Systems into the HP fold. Republican vice presidential candidate Sarah Palin was the victim of an apparent hacking attack on the Yahoo account she uses for official business as governor of Alaska, and in other government-related IT news, a GAO report says the U.S. does a lousy job of following its regulations regarding electronic-waste shipment and disposal.