The Zeldon Morris Worm

Computerworld reports an IT contractor gets five years for $2M credit union theft

A man named Zeldon Morris was hired as an IT contractor by four credit unions. Instead of just helping them he also set himself up to receive unauthorized deposits.

In all Morris admitted to stealing about $1.2 millions from First Family, about $82,000 from Alpine, about $635,000 from Deseret and $93,000 from First Credit.

According to court documents the thefts are likely to have gone unnoticed for some time if it had not been for Morris’ partner who alerted Family First of unusually large ACH deposits being made into the joint business account.

The thefts would have gone unnoticed if his partner had not turned him in?

I was asked the other day by a reporter why fraud still happens when so many people know it exists. Great question. My answer may be published in the Sunday paper.

Power(less)Point and Security

SIEM (or SEM or SIM) vendors surely cringe when they read articles like yesterday’s NYT piece called We Have Met the Enemy and He Is PowerPoint

PowerPoint makes us stupid, Gen. James N. Mattis of the Marine Corps, the Joint Forces commander, said this month at a military conference in North Carolina. (He spoke without PowerPoint.) Brig. Gen. H. R. McMaster, who banned PowerPoint presentations when he led the successful effort to secure the northern Iraqi city of Tal Afar in 2005, followed up at the same conference by likening PowerPoint to an internal threat.

It’s dangerous because it can create the illusion of understanding and the illusion of control, General McMaster said in a telephone interview afterward. Some problems in the world are not bullet-izable.

Ouch. Although true, McMaster has himself just boiled down the problem into a bullet-ized sound bite. Hypocritical? No, the difference really is in quality versus quantity. Illustration is essential when done properly. Tufte has made this very point for many years in his books:

Tufte on PowerPoint

Keep this in mind the next time you are asked by a vendor to look at a dashboard or a report, especially for a product that includes the word management in its title (e.g. SIEM, SEM, SIM).

Does a management or presentation tool really save time or clearly illustrate the point(s) you need to know?

The best way to find out is to perform some simple tests. Prop open a door and then ask to see the alarm on the system. Run a scan, not even a stealthy one, and ask to see the alarm on the system.

Ponemon Breach Study Gets it Wrong

Dark Reading has posted an interview with Ponemon regarding the latest Breach notification study. The study claims Costs Of Data Breaches Much Higher In U.S. Than In Other Countries

“A big reason for [the high cost of churn in the U.S.] is that U.S. companies are required to notify customers of their breaches, even if they only suspect that the customers’ records might be affected,” Ponemon says. “That sort of notification doesn’t happen anywhere else in the world.”

This is not accurate. There are at least twenty four countries in the world with breach notification requirements that involve suspected loss, as I explain in my presentations on breaches.

The UK, for example, requires public entities to disclose a breach after media is lost or missing. This is the reason you will find reports about them in the news. Commercial entities are less regulated, but it is not accurate to say notification doesn’t happen anywhere else in the world.

The Money Stop gives a good example from last month:

The HMRC office that has been involved in the latest breach is the same one that lost the details of 25 million people on discs back in 2007, raising a major alert over identity theft and security.

Why would they disclose this breach or the one three years ago when they only suspect records may be affected? They are required to do so by the Information Commissioner’s Office (ICO) under the Data Protection Act (DPA) of 1998. The Department of Work and Pensions, DVLA and other government bodies have also reported breaches, as documented in the list of DPA violations.

Ponemon’s study gives a few numbers for impact:

Notification accounts for $500,000 of the $6.75 million that the average U.S. company spends on a breach, according to the study; the average French company spends only $120,000 on notification.

I question whether they have found the right cause or they rely too much on a correlation.

India leads APJ malware

Today’s India Times article on malware statistics has an almost boastful tone as they say India is no. 3 haven for hackers

The country saw an average of 788 bots per day during 2009. Bots are malwares that turn computers into zombies and there were 62,623 distinct bot-infected computers observed in the country during 2009. Amongst the cities in India with the highest number of bot-infected computers, Mumbai figured at the top with 50% followed by Delhi at 13% and Hyderabad at 7%.

The recipe for malware growth, both in terms of infection and generation, comes from network speed and ubiquity of hardware.

Symantec suggests this briefly in their April 2010 Global Internet Security Threat Report.

Brazil’s significant increases across all categories
are related to the growing internet infrastructure and broadband usage there.

How much growth? Over what period? The more systems connected, in other words, with high-speed access the more malware you should expect. The article does not give this analysis, nor does Symantec. The more interesting statistic would be the percentage of total systems infected relative to the total number of people with systems and the rate of change, instead of just who has the most infected systems.