Browse > Home /

Are You Insured for Cyber Theft?

 

Aug. 30, 2010

On a regular basis, cybercriminals are creating hardship for businesses and consumers. A post by blogger Brian Krebs caught my eye – a Texas company is struggling to get its bank to pay for a $50,000 cyber theft.

“Attorneys for Dallas-based Hi-Line Supply Inc. recently convinced a state court to require depositions from officials at Community Bank, Inc. of Rockwall, Texas,” wrote Mr. Krebs. “Hi-Line requested the sworn statements to learn more about what the bank knew in the time surrounding Aug. 20, 2009, when crooks broke into the company’s online bank accounts and transferred roughly $50,000 to four individuals across the country who had no prior business with Hi-Line.”

Ostensibly, the comments in the deposition are locked up, but the lawyers maintain the bank is guilty of security incompetence and a lawsuit might be the next step.

Mr. Krebs quoted an attorney:

 “In the event Community Bank refuses to resolve this matter, now that we have uncovered some of the information obtained by virtue of the court’s order, Hi-Line intends to assert claims for misrepresentation, violations of the Texas Deceptive Trade Practices Act, fraud, and breach of warranties, among other things,” said Michael Lyons, a partner with the Dallas law firm Deans Lyons.

The fraud apparently began on Aug. 20 last year when Hi-Line processed its $25,000 payroll, according to Gary Evans, the firm’s president.

“After Hi-Line submitted that batch of payments to its bank, the unknown intruders attempted two more transfers of nearly identical amounts on Friday and the following Monday, Aug. 24,” explained Mr. Krebs. “Evans said he had trouble logging in to his account on Thursday and had the bank reset his password, but the fraudulent transactions hadn’t showed up on his account at that time. He said he took that Friday off as he always does, and when he tried again to log in after returning to work on Monday, he again found the bank’s site would not accept his password.”

Then, Mr. Evans sensed trouble.

“When I finally got the bank to reset my password and got into my account, I noticed the duplicate payroll batches and said ‘Why are you all pulling my payroll out three times?’” Mr. Krebs quoted Mr. Evans about his recollection of how he came to realize his firm had been robbed. “At the time, as I was resetting my password, I had to scroll through the bank’s online customer agreement, which basically said the bank is not responsible for any fraud. I should have known at that point that they were not going to take any responsibility for this at all.”

Mr. Evans maintains the bank should have taken notice.

“Evans said the bank should have detected that something was amiss, and not just because of the unusual and repeated payroll batches,” wrote Mr. Krebs. “He said the crooks accessed his account from five different Internet addresses with locations that were nowhere near Texas, including from computers located more than 1,300 miles away, in Washington, D.C. and Maryland.”

The blogger says Community Bank did not respond to his request for a comment, but its deposition claims the cybercriminals “had infiltrated Evans’ computer with a virus and used it to steal his online banking credentials, which included a user name, password, PIN and several challenge/response questions.”

Mr. Krebs indicated the thieves pulled it off with the unknowing help of what are called money mules.

“Among those lured into the scam was Josh Enlow, a 28-year-old gas station attendant in Phoenix,” he wrote. “Enlow said he was hired by an entity calling itself The Total Group Co., which initially contacted him in an e-mail stating it had found his resume on a job search Web site, and would he be interested in an ‘accounts payable’ position?”

Reported, Mr. Enlow received several fund deposits and was asked to forward the money.

“He then wired the money to individuals in Eastern Europe as instructed, he said,” Wrote Mr. Krebs.

“If the customer wants the bank to reimburse it for fraud losses, it’s up to the customer to prove that the bank’s security procedures are not commercially reasonable…” says IT security expert Dr. Stan Stahl. “The result, all too often, is that the customer has little choice but to sue the bank.”

But Dr. Stahl says there are reasons for such victims to hope:

“There’s a very good chance the bank’s procedure’s fail the test of commercial reasonableness,” writes Dr. Stahl. “

But he adds the burden of proving a bank is at-fault is “huge.”

He says one solution is cyber theft insurance.

My counsel is due diligence by a top-notch security adviser, and to make sure you really know your bank.

From the Coach’s Corner, Dr. Stahl’s security blog: http://citadelonsecurity.blogspot.com/.

Filed Under: Tech
Tagged: , , , , ,

What You Must Do to Combat the Malware Epidemic

 

Aug. 11, 2010

The nation’s leading Internet security expert agrees with McAfee – the antivirus firm’s 2010 Q2 report states an epidemic of malware has been unleashed on the Web – and he provides solutions.

 “The report reconfirms everything we’ve been saying since we began our blog 18 months ago. There has been a sea change in cybercrime,” writes Dr. Stan Stahl. “Threats are more sophisticated than ever, weaknesses and vulnerabilities abound. Defenses have not kept pace.”

Dr. Stahl is a principal in Citadel Information Group, and is president of the Los Angeles Chapter of the Information Systems Security Association.

“The report is a reminder to every organization to take a critical look at its defenses – everything from policies and employee awareness training to modern intrusion prevention systems,” suggests Dr. Stahl. “It needs to make sure it’s employing a cost-effective defense-in-depth strategy covering all three critical security management domains.”

He says the security-management domains include:

  1. Corporate security management
  2. Security management of the IT infrastructure
  3. Point-in time security of the IT infrastructure

“It’s also a time to talk to your attorney and your insurance broker,” he adds. “Your attorney can make sure you’re aware of your legal responsibilities and can provide counsel on sharing sensitive information with 3rd parties. Your insurance broker can help you mitigate some of your security risk through cyber-insurance policies.”

Indeed, McAfee report does confirm what Dr. Stahl has been telling me. The malware epidemic recently prompted Microsoft to issue an emergency patch. Whatever he recommends, I strongly endorse it.

Two resource links:

From the Coach’s Corner, Dr. Stahl has often graciously responded to my requests for information since 2004. His analysis on many IT security topics – from the dangers of mobile banking to using WIFI – can be found in numerous columns here on The Biz Coach site. Simply enter his name as key words in this site’s search in the upper right corner on any these pages.

Filed Under: Tech
Tagged: , , , ,

Is It Time to Educate CEOs about Threats from Cybercrime?

July 13, 2010

Many senior executives still don’t get it about cybercrime. There is plenty of evidence that cybercriminal activity is flourishing. But a USA Today report indicates research shows many CEOs remain unaware about the dangers to their firms when it comes to Internet security.

Eighty-one percent of information-technology professionals believe that their companies’ senior managers still do not comprehend the need to take proactive steps to ward off security threats.

That’s according to a study of nearly 591 of IT pros. It was conducted by the Ponemon Institute for NetWitness. Not only did it involve opinions about CEOs, the same fears were attributed to a lack of understanding by government agencies.

In addition to the 81 percent concerning senior executives, the study reports other red flags:

  • 83 percent indicated their organization has been a recent target of advanced threats
  • 41 percent said they were frequently attacked

So, it’s time to check with go-to security expert Dr. Stan Stahl. Is it really possible that senior executives don’t fully comprehend IT security dangers?

“Our experience confirms the validity of these statistics,” believes Dr. Stahl. “The cybercrime problem is only going to get worse as more and more small and medium size businesses fall victim to online bank fraud.”

Commenting in his blog, Dr. Stahl is a widely known pioneer and consultant in security and the prevention of identity theft. He is the expert on Federal Trade Commission rules under the Gramm Leach Bliley Act governing non-public personal information by financial institutions. He is also president of the Los Angeles chapter of the Information Systems Security Association, a nonprofit, international organization of information-security professionals and practitioners.

“The biggest challenge we see is helping the men and women who have to dedicate resources (people or money) understand (1) why they need to improve the security of their information systems, (2) the basic steps involved in improving systems security, and (3) the ancillary competitive benefits they can get from improved information systems security management,” he writes.

Indeed, the study also indicates 44 percent of attacks result in the theft of confidential information, and 45 percent of the cyber strikes result specifically in the “theft of intellectual property.”

“It’s to meet this challenge that we in the Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) have embarked on an aggressive Community Outreach Program”, writes Dr Stahl. “Our objective is nothing less than to raise information security awareness.”

Of course, the association has local chapters in multiple cities; see www.issa.org.

Yes, it’s disappointing to know that senior executives are still in the dark. But IT pros can solve this problem. Here’s more: How CIOs Can Get More Respect in the C-Suite.

From the Coach’s Corner, this site’s Tech section contains many Biz Coach columns on cybersecurity with solutions from Dr. Stahl. (Note: I’m very familiar with Dr. Stahl’s expertise as we’re both members of Consultants West, www.consultantswest.com.)

For more on Dr. Stahl: http://www.citadel-information.com/index.php ; and blog.citadel-information.com.

Resources links: Ponemon Institute, www.ponemon.org; and NetWitness, www.netwitness.com.

Filed Under: Tech
Tagged: , , , , , , ,

Using Starbucks’ WIFI? Security Pro Issues Warning and Security Checklist

 

June 27, 2010

At first glance, the free WIFI service at Starbucks seems like a great idea for mobile professionals. Starbucks’ free Internet service is a response to growing competition – McDonald’s upgraded coffee offerings and free WIFI, which have proved to be popular in the economic downturn.

Starbucks announced the service effective July 1, 2010.

But the WIFI offering by Starbucks has prompted a security warning and checklist from a go-to Internet security guru, Dr. Stan Stahl of Citadel Information Group in Los Angeles. His commentary is entitled, “Free WIFI at Starbucks – Reminder of Cybersecurity Risk.”

“While most of the common risk is eavesdropping, one cannot overlook the risk of computer compromise,” writes Dr. Stahl.

His five security recommendations:

  1. No online banking or other eCommerce
  2. No e-mail  containing sensitive information except via an approved encrypted link from PC to Mail Server
  3. Keep anti-virus or host intrusion software up-to-date
  4. Make sure software patches are up-to-date
  5. Use VPN (virtual private network) for access to office

Respectively, here are Dr. Stahl’s Web site and blog addresses: www.citadel-information.com, www.citadelonsecurity.blogspot.com

From the Coach’s Corner, Dr. Stahl’s expertise is also quoted in these Biz Coach columns:

Filed Under: Tech
Tagged: , , , , , , ,

3 Studies – New Concerns about Internet Security

 

May 16, 2010

Phishing and other Internet security risks pose new dangers and raise concerns, according to three new studies, and two of the studies involve Facebook.

It’s been quite a roller coaster for Facebook.

On one hand, Facebook is enjoying a huge increase in display advertising impressions. Research firm comScore reports Facebook had 176 billion impressions in Q1 2010. That’s more than either Yahoo or Microsoft enjoyed.

However, Facebook faces increasing scrutiny over its privacy controls from Congress and European data protection authorities. Indeed, many users are dropping their Facebook memberships as a result of these and other developments.

Other Facebook users are probably shocked once they learn that their questionable posts are showing up on a Web site www.youropenbook.org.  Their embarrassing messages range from results of their HIV tests to playing hooky from their jobs. The site shows their posts because they don’t turn off their privacy settings.

The three studies:

Buzz Score. The so-called buzz score by YouGov BrandIndex survey for Facebook for people over 35 is down. The buzz index dropped to 21.2 from 26.7. The assumption was privacy concerns was a factor among those 35+. But it jumped to 44.8 from 26.7 for the 18 to 24 demographic.

Phishing targets. Facebook is now in fourth place as one of the top phishing targets, according to a CNET report on a study by Kaspersky Lab. The article was written by Elinor Mills.

Phishing, of course, is the fraudulent attempt by e-mailers to get your sensitive information – credit cards, passwords and usernames – by posing as an e-mail a trusted Web site.

The highest number of attacks masquerade as organizations in e-mails, including:

  1. PayPal – 52.2 percent
  2. eBay – 13.3 percent
  3. HSBC – 7.8 percent
  4. Facebook – 5.7 percent
  5. Google – 3.1 percent
  6. IRS – 2.2 percent
  7. Rapidshare – 1.8 percent
  8. Bank of America – 1.8 percent
  9. UBI – 1.6 percent
  10. Bradesco – 1.2 percent
  11. Other – 9.2 percent

“Facebook popped up unexpectedly in fourth place,” the report said according to CNET. “This was the first time since we started monitoring that attacks on a social-networking site have been so prolific.”

“Just last week, Facebook board member Jim Breyer, of venture capital firm Accel Partners, found that his Facebook account was spamming his contacts because of a phishing scam,” wrote Ms. Mills.

“The report also found that spam represents about 85 percent of all e-mail traffic and that Asia remains the leading source of spam by geographical region, while the individual countries serving as the top sources are the U.S., India, and Russia,” she also mentioned.

Worst phishing may be yet to come. They were awful, but the worst attacks might be being planned now, at least, according to a study reported by Tim Greene in NetworkWorld. Mr. Greene wrote about a study by Anti-Phishing Working Group (APWG) entitled, “Global Phishing Survey: Trends and Domain Name Use 2H2009.”

A phishing group called Avalanche was notorious in its dominance. In Oct. 2009, it launched 26,411 attacks. In April, the group only launched 59.

“As of this writing, Avalanche has dwindled to a shadow of its former self. Will Avalanche fade for good or will it too be reborn as something new?” the APWG report asks.

“This criminal entity is one of the most sophisticated and damaging on the Internet, and perfected a mass-production system for deploying phishing sites and ‘crimeware’ – malware designed specifically to automate identity theft and facilitate unauthorized transactions from consumer bank accounts,” states the study.

From the Coach’s Corner, for tips on Internet security, including the expertise of a Los Angeles security specialist, Dr. Stan Stahl, consider these Biz Coach columns:

Filed Under: Tech
Tagged: , , , , , , ,

How China-Google Controversy Might Affect Business, Government Security

 

Updated 6:50 p.m. April 20, 2010

The security issue between China and Google appears to be taking on new ramifications – threatening proprietary information for business and government agencies, if they do business with the giant search engine.

When Google was hacked last year by cybercriminals in China, they stole a computer program that managed access to Google’s programs, according to a New York Times article Monday. In the past, Google has denied hackers were able to access personal information from Gmail accounts, but the search engine did not respond to The New York Times report.

“As the story makes clear, businesses considering cloud services like those offered by Google, Amazon and others must ‘look before they leap’,” warns Internet security expert Stan Stahl, Ph.D., Citadel Information Group, Inc. (www.citadel-information.com).

“While it’s probably obvious to look at the security provided by the cloud provider, less obvious is that the business needs to also look at that part of security that will still be its responsibility, the part of security that the cloud service provider isn’t providing,” says Dr. Stahl, as the go-to security authority.

“Security can never be a matter of looking at ‘this’ or ‘that.’ Security must always be about looking at ‘this’ and ‘that’,” he adds.

As a management consultant, I wonder about two other questions:  What about the privacy of Google’s services and business and government agencies? Is the threat to Google’s business model more severe than first thought?

Google’s services for the private and public sectors are not limited to the following but they include:

  •  AdSense is a platform for publishers to generate income by displaying a bevy of click-through advertisements, but Google requires sensitive information in order for publishers to receive payment. Google’s AdSense automatically inserts display and text ads, which are frequently changed.
  • Google Analytics is a service that helps Web site owners to understand how they’re faring with visitors , such as how they reach your Web site and what they visit.
  • AdWords is a sponsored links section. It’s the largest service of its kind and Google has the No. 1 market share.
  • Merchant Center uploads product listings in for use in a variety of ways. They include AdWords ads, Google Search, Google Product Search, and Google Commerce Search.
  • Checkout helps businesses increase sales by selling online.
  • Website Optimizer, with access to sites, tests content in order for publishers to optimize the conversion rates of their visitors.

There are other Google services, but you get the idea.

The news article provided more alleged details that include Google’s “Gaia.” That’s Google’s stolen password system. Gaia is the Greek mythological goddess of earth. Gaia managed the entry to its services for the private and public sectors.

For more of the report’s details, see: Cyberattack on Google Said to Hit Password System

If The New York Times article is accurate, and my Biz Coach sense is that it is, businesses and public agencies doing business with Google might want to consider a security-needs assessment by a qualified expert. This is also a bigger threat to Google’s business model than we first believed. Google deserves support on this security issue.

(Disclosure: This site published Google public service messages.)

From the Coach’s Corner, in a new related development, BusinessWeek reports government criticism of Google in this article: Google Is Neglecting Online Privacy, Authorities Say

Also, worth reviewing are two Biz Coach columns regarding Internet security:

How to Protect Yourself from the Internet Crime Wave

Business 101 Lessons: Google vs. China’s Censors, Cybercriminals

Filed Under: Tech
Tagged: , , , , , , ,

Antivirus Company Names Most-Perilous Internet Cities

 

Updated March 23, 2010

In cyber-crime, Seattle has earned a distinction it’d rather not have – the No.1 riskiest online city. That’s according to Norton from Symantec. The antivirus company teamed up with research firm, Sperling’s BestPlaces, to determine the locales the deem the most-susceptible to Internet crime.

Maybe they are and maybe they’re not. A leading cyber-security expert, Dr. Stan Stahl, questions the data.

“While some of the factors used in assessing ‘risk’ would seem to appropriate, my bottom line was expressed best by G.K. Chesterton: ‘It’s not that they don’t know the answer. It’s that they don’t even know the question’,” says Dr. Stahl, a noted Internet security expert in Los Angeles (www.citadel-information.com).

A Norton press release states its list of cities was developed as a result of the cyber-attack data compiled by Norton and other factors. The top five: Seattle, Boston, Washington, D.C., San Francisco, and Raleigh.

The Norton data criterion includes these six categories:

1. The cyber-crimes data from Symantec Security Response:

  • Number of malicious attacks
  • Number of potential malware infections
  • Number of spam zombies
  • Number of bot infected computers
  • Level of Internet access

2. Expenditures on computer hardware and software

3. Wireless hotspots

4. Broadband connectivity

5. Internet usage

6. Online purchases

Missing from this list, Dr. Stahl says, are things that would serve to mitigate risk, such as:

  • Number of information systems security professionals in the city
  • Average number of information security professionals per 1,000 computers and per company
  • Percentage of computers who connect to hotspots using a VPN (virtual private network).
  • Percentage of companies ISO27001 certified (ISO refers to international organization standardization)
  • Numbers of CISSPs (certified information systems security professionals), CISMs (Certified Information Security Managers), etc.
  • Percentage of businesses/homes with professionally managed firewalls

“By itself, expenditures may mean little or nothing since one large supercomputer can cost the same as zillions of P and actually lower risk,” explains Dr. Stahl. “There’s also the question of what ‘risk’ means when applied to a city, as opposed to an individual or an organization.”

So, it’s a question of what he calls “meaningful mathematics,” – everything is relative.

“My risk goes up or down as the total number of bot infected or spam zombie computers goes up or down; it doesn’t really matter if they happen to be in my own town or somewhere else [more or less true, but not quite since a bot net or spam zombie in Africa poses less of a risk than a bot net in America],” he adds. “In this situation, my risk is my risk; it doesn’t meaningfully transfer to my city.”

Norton’s list of the alleged most-vulnerable cities:

1. Seattle

2. Boston

3. Washington, D.C  

4. San Francisco

5. Raleigh

6. Atlanta

7. Minneapolis

8. Denver

9. Austin

10. Portland

11. Honolulu

12. Charlotte

13. Las Vegas

14. San Diego

15. Colorado Springs

16. Sacramento 

17. Pittsburg

18. Oakland

19. Nashville-Davidson

20. San Jose

21. Columbus

22. Dallas

23. Kansas City

24. New York

25. Indianapolis

26. Albuquerque

27. Miami

28. Omaha

29. Virginia Beach

30. Los Angeles

31. Cincinnati

32. Houston

33. St. Louis

34. Phoenix

35. Chicago

36. Baltimore

37. Oklahoma City

38. Philadelphia

39. Jacksonville

40. Tulsa

41. San Antonio

42. Milwaukee

43. Cleveland

44. Tucson

45. Long Beach

46. Fort Worth

47. Fresno

48. Memphis

49. El Paso

50. Detroit

Again, based on the expertise of Dr. Stahl, if you live in one of the listed cities, you don’t necessarily have to worry. My thanks to him – he’s been very gracious with his analysis for many years.

From the Coach’s Corner, here are recent Biz Coach columns featuring his expert opinions:

His security blog: http://citadelonsecurity.blogspot.com/

Filed Under: Tech
Tagged: , , , , , , , ,

Biz Coach Terry Corbell – the business-performance consultant – provides Proven Solutions for Maximum Profits.