Another Huge Security Breach

CNet News reported last Friday about a security breach at UC Berkeley which left 160,000 individuals at risk due to possible stolen information.  At particular risk of identity theft are some 97,000 individuals whose Social Security numbers were accessed in the breach, but it’s still unclear whether hackers were able to match up those SSNs with individual names.

What is particularly worrysome is that the server breach began on October 9, 2008, and continued through April 9, 2009, when a campus computer administrator doing routine maintenance discovered messages left by the attackers. Logs indicate that the hacks originated from overseas, with traces specifically in China.  It’s not so much that a prestigious institution has been hacked, because UC Berkley joins a long list of others who have preceded them.  What is particularly troublesome is the questions it raises as to whether the university has appropriate monitoring tools in place to have not noticed the hack for six months.

The global attacks on personal information continue to escalate both in frequency and sophistication.  The escalation is driven by the ultimate economic payback which is used to hire even greater talent to create the next exploitation.   Most of the threat still comes from hacked websites which deliver a nasty payload of spyware without the visitor knowing.  In 2008, several high-profile websites were targeted, including USA Today, ABC News, Target and Wal-Mart and simply visiting one of these infected websites could have resulted in the user’s computer being infected. 

I’ve provided information previously, in a post entitled “How to Avoid Dangerous Web Sites” which enables you to check a site for malicious code before actually landing on it.  In an April 1, 2009 news story on entitled “Malware levels climb to new levels in March” , security firm Symantec pointed to the March 2009 MessageLabs Report  which found that the number of new sites harbouring malware jumped by 197 percent over the past month, at a rate of 2,797 new sites every day.  Yikes!

“Having been focused on email tactics for the latter half of 2008 and early 2009, the cyber criminals are turning their attention towards web-related tactics, so as not to become too predictable,” said senior MessageLabs analyst Paul Wood. “Their goals of financial gain and espionage remain the same, however.”

I wish I had great answers.  Here are a few to help you and your firm:

1.  Make sure your domain host has adequate security, and also keeps several generations of backup of your web content and coding.  As someone who experienced their site crashing due to attack, I can tell you that I was disappointed to learn that the most current backup wasn’t quite so, ahem, current.  My host is now doing a better job of it.

2.  Educate your staff about risks.  Have a written computer use policy in place.  Enforce it.  Plan on having refresher sessions frequently.  Don’t forget to go over it in detail with each new hire.

3.  Make sure that anyone who works from home has a secure computer which not only protects client confidentiality, but also ensures no spouses or teenagers are visiting questionable sites which can easily infect your computer and then in turn your office computers.  Sites for free downloads of music and video, pornography sites, or viewing sites like YouTube, are known for often harboring nasty script.

4.  Don’t go to unknown sites without pre-screening for malicious scripts.

5.  Don’t give out personal information to anyone who will store it electronically unless you have to.  Don’t be afraid to question their data security.  Be particularly careful about giving out your SSN.

6.  Regularly check your computer network for data breaches.  Create a protocol to do so.  Don’t know how?  Contact a computer security / forensic specialist for assistance.  Remember the Red Flags Rules.   They were to go into effect as of May 1, 2009.  There is an extension until August 1, 2009 currently in effect.  So this point isn’t just a suggestion, it’s going to be a federal requirement.

7.  If you have to leave your email address somewhere you aren’t sure about, and your work email includes your domain name (e.g. then get and use a GMail email account address instead.  It will prevent calling attention to your web site by nasty people whose spiders scan the internet constantly searching for new email addresses and their domains.

It’s a very scary world out there.  Much of it we can’t control.  You’d be foolish to skip the extra steps that may help you protect yourself , your firm, and your clients.



To return to the main page of the blog, click here.  To return to the blog  Index, click here.

WordPress Themes