Comments on: Who says security breaches are small potatoes?

Not when they impact the corporate bottom line--and they sure do, writes attorney Eric J. Sinrod.

[n3td3v]

the government allow the cyber terrorists to get electronic arms

you let hackers release information and software at international computer security conferences and this is the result you get.

hackers at security conferences are being allowed to release their information and tools to script kiddies and cyber terrorists, under the assumption the hackers are legitimate "security researchers", the problem is the information and tools these security researchers think are going to force people to be more secure and be more aware to a particular attack vector doesn't work in reality, what you get is certain areas of corporate america is security breaches like TJX, and no legal action is taken back to the original hacker/researcher at the international security conference who aided the script kid and cyber terrorists from carrying out the breach.

these security researchers are supplying the bad guys with guns to do their malicious actvity, and no one is stopping them.

if this was arms in the real world, like iran supplying terrorists with guns to attack america is iraq, something would be done, but when its computer hackers at security conferences putting the electronic guns into the hands of script kiddies, cyber criminals and cyber terrorsits, everyone sits back and let it happen.

when is cyber terrorism and the supply of tools and information cyber terrorists need to carry out these breaches going to be stopped by heavily restricting the release of tools and information at high profile international security conferences, which in turn end up being hosted by hundreds of sites across the world for any would-be cyber terrorist to download and launch attacks against the western economy.

[Dalkorian]

but is censorship the answer?

I'm not sure I can go with the idea that information being made
public is evil. Do you really believe this problem would go away if
the GOVERNMENT started committing CENSORSHIP on these
conferences? Or would the cyber terrorists just use "back alley"
tactics to spread their information?

Make it all public and force the public to grow up and defend itself.
It might be painful at first, but in the end we'll all be better off for
it.

[dargon19888]

Bzzzt! Knee Jerk Idoicty

Remember Morris' Worm?
Maybe it was before your time. Circa 1988?

If it wasn't for communication between System Admins, we'd have been hosed for a lot longer that a couple of days.

You need to have a way to get information about potential breeches out to the admin community.

With respect to TJX, while the author, a lawyer, didn't condemn TJX for lax security measures, reports indicated that they had not implemented any security on their wi-fi networks within the store and the perpetrators gained information and access through this major security faux paux.

So get real junior. Ignorance is bliss, but it will cost you.

[Marcus Westrup]

Shadow World

Hackers (the bad kind) have an industry of their own now. Information is traded in secret, money is made, and the corruption grows. In many ways the bad guys are better funded and organized than the commercial security industry.
The problem is not that security people are exposing weaknesses - it?s not being able to keep black hats from finding them first.

[marileev]

Organized cyber criminals

Marcus, you're absolutely right, the Haephratis were a prime example of organized cyber criminals - http://news.bbc.co.uk/1/hi/technology/5313772.stm

Ruth & Michael Haephrati setup a fake solutions company called Target Eye and would send sales CDs to company execs. The CDs contained malware (keyloggers) to capture valuable company information. Others simply use phishing as a method to glean sensitive data http://www.essentialsecurity.com/news.htm?pagename=Phishing_and_the_Road_to_Recovery

[keydet89]

Not that it matters, really...

It's nice that you've point that out, but the fact remains that most C-level management is NOT going to do what it takes to protect that sensitive personal data that they have on their network (notice that not once do I make any reference to 'secure'). It's the 'but it won't happen to me' attitude that prevails...and when it does, wow, what an effect it has! This kind of thing will continue...prehaps not on the scale of TJX...to the point where you won't see it here anymore because it isn't news.

Harlan
http://windowsir.blogspot.com
Author: "Windows Forensic Analysis"

[Jerics]

Notify Customers?

Well I checked with my banks and two of my card numbers were on the list and I had to get new cards. They still haven't notified me. So how many more weren't notified that "cost" them. Hmmm---interesting.

[mveronica]

Cost didn't go towards notifying customers...

"The charges include costs to investigate and contain the intrusions, as well as to strengthen computer security and systems. It also includes costs relating to communications with customers and for technical, legal and other related charges. "

The article doesn't state that costs went towards notifying customers, which may explain why they di an inadequate job informing their victimized customers.

You would think that informing those victimized would be the first step and would cost the least amount of money so it does seem rather odd that that was not their first step to recovering from the breach.

[marileev]

Double Victimization

When a bank fails to communicate these breaches effectively with their customers, their credibility as a financial organization can go down the toilet and leave the customer feeling that they're also a victim of the bank.

Here's a story where a B of A customer sadly got just that when someone hijacked her account http://redtape.msnbc.com/2007/05/id_thief_bounce.html

[wbenton]

Common Security Sense 101

DO NOT OUTSOURCE SECURITY!

As the article said:

>>>companies should educate themselves now, if they have not done so already, as to how best to strengthen their computer security.<<<

It MUST be done in-house if it's to be done properly.

Walt