uncompiled.com

Security vendor Symantec Corp. is reported to be close to buying Internet infrastructure services vendor VeriSign Inc.’s security business for $1.3 billion.

The Wall Street Journal quoted unidentified sources who are said to be close to the deal as saying it would give Symantec control of VeriSign’s $410 million authentication business, which provides a range of encryption technologies and services.

A Reuters report late Tuesday also quoted an unnamed source as saying that VeriSign had been shopping for a buyer for its security unit recently.

Meanwhile, other news reports fuled the speculation by adding that VeriSign CFO Brian Robins had abruptly pulled out of a JP Morgan investors conference on Tuesday afternoon.

News of the possible deal pushed VeriSign’s shares up by $1.39 or 5.18% to $28.23 Tuesday afternoon. But with the expected deal not announced until late Tuesday, VeriSign’s shares yielded back some of that gain in after hours trading. Shares of Symantec meanwhile were down 2.03% to $15.95 on news of the rumored deal.

A spokesman for Symantec said the company would not comment on rumors and speculations. A VeriSign spokeswoman said also the company would not comment.

If the deal was to happen, it would be the second security related business unit that VeriSign has shed in the past few months. Last October the company sold its Global Security Consulting unit to AT&T in a deal, the terms of which were not disclosed.

The deal gave AT&T control of a VeriSign business unit focused on security and ID management related consulting services for Fortune 500 companies.

At that time, VeriSign CEO Mark Mclaughlin was quoted as saying that the sale was in keeping with VeriSign’s goals to divest itself of certain business units.

Source

Carders.cc, a German online forum dedicated to helping criminals trade and sell financial data stolen through hacking, has itself been hacked. The once-guarded contents of its servers are now being traded on public file-sharing networks, leading to the exposure of potentially identifying information on the forum’s users as well as countless passwords and credit card accounts swiped from unsuspecting victims.

The breach involves at least three separate files being traded on Rapidshare.com: The largest is a database file containing what appear to be all of the communications among nearly 5,000 Carders.cc forum members, including the contents of private, one-to-one messages that subscribers to these forums typically use to negotiate the sale of stolen goods. Another file includes the user names, e-mail addresses and in many cases the passwords of Carder.cc forum users.

A third file — which includes what appear to be Internet addresses assigned to the various Carders.cc users when those users first signed up as members — also features a breezy explanation of how the forum was compromised. The top portion of this file — which is accompanied by an ASCII art picture of a cat — includes an oblique reference to the party apparently responsible for the Carders.cc site compromise, noting that the file is the inaugural issue of Owned and Exposed, no doubt the first of many such “e-zines” to come from this group.

Ironically, the anonymous authors of the e-zine said they were able to compromise the criminal forum because its operators had been sloppy with security. Specifically, they claimed, the curators of Carders.cc had set insecure filesystem permissions on the Web server, which essentially turned what might have been a minor site break-in into a total database compromise.

Source

Verizon Business will offer security as a service from eight of its many worldwide IP network data centers. In making the offering, it’s taking a calculated risk that it can convince business users that security, almost always an on-premises and often a hardware-based service, can be offered safely from software in the cloud.

Verizon will have to make a convincing case that its approach is a solid one. After all, in survey after survey, CEOs’ main concern about cloud computing in any form is that it may not be secure.

“We’ve been doing cloud-based security for six years,” said Jonathan Nguyen-Duy, security product management director, in an interview. With 237 data centers powering parent company Verizon Communications’ IP network operations around the world, Verizon has experienced massive denial of service attacks and other assaults that might overwhelm average data center defenses. If a telecommunications leader’s defenses are applied to a business, they will represent a significant upgrade of existing protections, he asserted.
All of its 237 data centers are regularly audited by outside parties to ensure they meet the security protections that Verizon claims for its operations, Nguyen-Duy added.

The May 12 announcement of security as a service is Verizon Business’ latest foray into cloud computing. In June 2009 it launched computing as a service, or the availability of virtualized servers in its data centers for rent by the hour. At the end of April, It launched consulting services to share knowledge of how data centers may be built and operated in conjunction with public cloud resources, such as its computing as a service. At the same time it opened a second data center in Hong Kong to deliver more cloud services to the Asia Pacific region.

Security as a service, however, remains a new concept. Nguyen-Duy said any large or medium-sized business is likely to have multiple facilities where it wants a common standard of security protections. Verizon can provide security measures to any facility, putting monitors in place to analyze traffic moving over company networks geared to watch for threats.

At the same time, said Peter Tippett, VP of technology, Verizon Business can give each company a central console through which to view all its security as a service implementations. “Enterprises can tailor their security solutions to meet the unique needs of their business, with the ability to strengthen their security protection at a moment’s notice,” he said in the announcement.

That may be true someday, but right now customers interested in security as a service are waiting for its most basic offerings to materialize. In June, Verizon Business will roll out anti-virus, spam, and malware protections and filtering of unwanted traffic from designated URLs. These services will be built into the basic network service already being consumed by Verizon customers at no additional charge, but there is a 50-megabyte limit on the amount of traffic per month that they apply to. The services are intended to show Verizon has the ability to supply “clean pipes” to customers, Nguyen-Duy.

In the fall, Verizon Business will offer network firewalls as a service from its data centers, with intrusion detection and prevention as well. These services will be charged for as separate products from the network service.

Early next year, Verizon will make its denial of service detection and mitigation services available from the cloud. None of the Verizon security services are meant to be “rip and replace” services for existing on-premises security. Rather they complement those measures, and can be implemented when a common standard of security is sought for new operations that span both on-premises and cloud data centers.

Nguyen-Duy is aware of the skepticism that the cloud itself can be made acceptably secure, and that makes it harder for prospects to believe that security can reliably flow out of the cloud. Nevertheless, he says, the combined protections that Verizon can offer means “we will scrub traffic more efficiently” than customers can by themselves. Security as a service from the cloud will lead to 35-40% savings in security expenses, he claimed.

Source

The costs to Heartland Payment Systems Inc. from the massive data breach that it disclosed in January 2009 appear to be steadily adding up.

Quarterly financial results released by Heartland last week show that the card payment processor has accrued $139.4 million in breach-related expenses. The figure includes a settlement totaling nearly $60 million with Visa, another of about $3.5 million with American Express and more than $26 million in legal fees.

That total also includes $42.8 million that Heartland has set aside to fund proposed settlements with several other litigants over the breach. One example of what the fund is set up for is Heartland’s offer to settle several consumer class action lawsuits against it for $4 million.

So far, Heartland has recovered about $30 million from insurance companies. Even with the updated figures, Heartland so far has spent considerably less than the staggering $250 million that TJX Companies Inc. estimated it would eventually spend to address its massive 2006 data breach.

Even so, given the scope of the Heartland breach, in which an estimated 130 million credit and debit cards were compromised, it is likely that Heartland will end up spending more than TJX over time.

Heartland’s disclosure of its breach-related expenses comes at a time when studies show that costs to companies from data breaches is steadily rising. The Ponemon Institute said it found the average cost per security breach incident in the U.S. in 2009 was $6.75 million. On average, companies spent about $204 per breached record, the study found.

Costs to companies from data breaches are significantly impacted by notification laws, the Ponemon study noted. In the U.S., the cost per lost record is 43% higher than the global average because of breach notification laws in 48 states.

Another big cost is the lost business due to lost or eroded customer trust following a data breach, the Ponemon study found. The negative publicity surrounding a data breach makes it costlier for customers to retain existing customers or attract new ones, the study found.

Source

Ipreo Holdings, a New York-based provider of software and market intelligence services for investment banking and corporate clients, has filed a lawsuit against Goldman Sachs alleging copyright infringement and theft of trade secrets.

The lawsuit, filed in US District Court for the Southern District of New York on Thursday, charges several unidentified employees of Goldman Sachs with illegally accessing an Ipreo database and stealing data from it.

The lawsuit seeks at least US$1 million in compensatory damages and another $2 million in punitive damages.

A spokeswoman for Goldman said the claims were without merit but offered no other comment.

Ipreo maintains a database called Bigdough, which it claims took years of effort and substantial investment to build. According to the company’s description of Bigdough, the database is the most complete and accurate listing of “buy-side portfolio and asset managers, sell-side institutions, funds and 80,000 contacts in the financial industry”. The company claims over 16,000 subscribers to the database.

“The database is of unparalleled value to financial institutes such as defendant Goldman,” from a marketing standpoint, Ipreo claimed in its complaint.

Ipreo said at least two Goldman Sachs employees, and possibly several more, illegally accessed the Bigdough database on dozens of occasions in 2008 and 2009. In its complaint, Ipreo alleged that its database had been illegally accessed at least 264 times by Goldman employees using login credentials belonging to someone else.

The company claimed that Goldman employees downloaded substantial amounts of data from its database during these illegal visits. Ipreo claimed that Goldman tried to play down the seriousness of the situation when informed about the illegal access.

Goldman admitted that the IP addresses associated with the illegal logins belonged to it, but tried to portray it as the act of a lone employee, the complaint notes.

“Defendants knew they lacked Ipreo’s permission to use or license the contacts, annotations or other copyrighted protected expression in the database,” the complaint reads.

Ipreo sought to hold Goldman vicariously liable for allowing its employees to use company systems and infrastructure to illegally access Ipreo’s database. The company had the right and the ability to monitor its employees and control what they do on the network, but failed to do so, the complaint says.

Source

The average cost to an organization of a data breach in the United States is higher than in four other countries where data-breach costs were compared, specifically Australia, France, Germany and the United Kingdom, according to a Ponemon Institute report published Wednesday.

The average cost of a data breach in the United States in 2009 was $204 per compromised customer record, in comparison with $177 in Germany, $119 in France, $114 in Australia and $98 in the United Kingdom. According to Mike Spinney, senior privacy analyst at research firm Ponemon, the reason the United States is highest in comparison with the four other countries is because the United States has the toughest data-breach notification laws, which incurs higher legal and other costs.

“Lawyers cost money,” Spinney says, pointing to the findings in the “2009 Annual Study: Global Cost of a Data Breach” report. “The costs are higher because the U.S. has disclosure requirements.”

Australia, France and the United Kingdom do not have the type of data-breach notification requirements enshrined in law in the way you see in the United States, though Germany recently did adopt notification laws, Spinney says.

Outside the United States, organizations are often required to inform their governments about data breaches, but this information does not usually become public in the way you see it in the United States, Spinney points out.

The Ponemon report, sponsored by PGP, was done by gaining input from 133 organizations in 18 industry sectors known to have suffered a data breach in 2009 that were willing to discuss it confidentially.

With organizations in non-U.S countries, Ponemon did not receive the same level of detailed breakout of data breach costs as it does with U.S.-associated data breaches, but did receive more of a total cost overview.

According to the report, the total cost of a data breach in the United States averages $6.75 million, as opposed to $3.44 million in Germany, $2.57 million in the United Kingdom, $2.53 million in France and $1.83 million in Australia. About half of the incurred losses appear to be connected to the cost of lost business, with the United States highest in that category at 66%.

In seeking to trace data loss to third-party mistakes, the Ponemon study found 35% of all cases involved outsourcing to third parties, and 35% were traced to malicious or criminal attacks, with French companies appearing to have the highest impact in terms of highest increase in costs because of it.

Spinney says Ponemon hopes to do more multi-country studies of this kind to get far more information about the impact of a data breach in different nations with different regulatory structures.

Source

Executives in charge of information security should make friends with the CFO, who can give them a broad overview of corporate priorities and see to funding the most important IT projects that protect corporate data.

Security pros should also look skeptically at industry compliance standards and avoid outsourcing security wholesale, said John Pironti, president of IT Architects, speaking at the Interop conference in Las Vegas.

CFOs have a broad view of the company and can appreciate where info security is key to corporate goals, Pironti said. Talking to them can help refine information security goals and nurture support for them in the budgeting process, he added.

Aligning those goals with corporate needs is the right way to go, not blindly following industry compliance standards such as HIPAA and PCI, Pironti said. He noted that the CEO of Heartland — which has suffered the largest public breach of credit card data anywhere — has made public statements that the company was compliant with PCI at the time of the breach. “Isn’t that scary?” Pironti asked.

Part of PCI fine print says, essentially, “If you’ve been breached, you couldn’t have been compliant,” Pironti said. Standards are good in that they give a sense of what a business community at large is doing to address common problems, but corporate risk management should be designed for the individual corporation. They can be aligned with industry standards later, but shouldn’t be driven by those standards, he said.

Information security pros should also re-evaluate their security tools periodically to avoid maintaining technologies that may not meet corporate needs anymore. He didn’t advocate dumping antivirus software, but pointed out that these products stop 35% to 40% of viruses, down from 47% last year, according to published testing.

Security executives need to distinguish between threats and risk, Pironti said. Threats are bad things that might happen, but risk is the weight given to them based on the practical consequences to the business, and that is unique to each business. “I can tell you about threat, but I can’t say how it fits into risk to you,” he said.

Pironti advocated that companies create the position of a chief risk officer (CRO) who sits on the board of directors and has the broadest possible view of the business. Such a CRO could offer guidance to CISOs about what assets to protect based on the main goals of the business.

Risk-combating programs should be separate from operational activities in order to keep continuing focus on the major risks. If risk-enforcement leaders get sucked into day-to-day operations they tend to lose focus on risk management, Pironti said.
Consultants from outside the company can help, but outsourcing risk management to them altogether is a bad idea. If their contract is canceled, they take with them knowledge of critical functions. Similarly, businesses should avoid following vendor recommendations about what it’s important to protect. “You’re the only one who can say what’s critical in your world,” he said.

Any risk management program needs enforcement with well-published consequences for failure to do so. If the risk created by the failure is low, so should the punishment. But for severe breaches that endanger network assets, punishment should be severe and include firing, Pironti said.

Source

Affinity Health Plan, a New York managed care service, is notifying more than 400,000 current and former customers employees that their personal data may have been leaked through the loss of an unerased digital copier hard drive.

According to a press releasequietly issued earlier this month, some personal records were found on the hard drive of a copier found in a New Jersey warehouse. The copier had previously been leased by Affinity and was then returned to the leasing company, the release states.

The disclosure follows the airing of a CBS News report which calls attention to the practice of recycling or resale of copiers whose hard drives have not been properly erased.

The report showed the discovery of numerous medical records found on warehoused digital copiers. An executive at a company that makes hard-drive-erasure products used a free forensics tool to glean the data from one of the copiers in the CBS News report.

The CBS investigation also turned up sensitive data from other organizations, including personal information from a restaurant in the Phoenix area and criminal records information from a Buffalo-area police department.

Affinity Health Plan says it has not had a chance to review the data found on the copier, but in a news report, a spokesman said that the figure of 409,262 notifications includes former and current employees, providers, applicants for jobs, members, and applicants for coverage.

Failure to properly dispose of medical records is a violation of New York privacy regulations and could carry fines or other sanctions.

Source

Medical records databases are a treasure trove for researchers – mapping trends in diseases and studying them to discover better treatment methods has never been easier.

Information that was previously available to a restricted number of researchers is now digital and accessible to many, making the issue of patient privacy prominent in discussions regarding the handling of these records.

Electronic medical records consist of very detailed patient data, where every disease, symptom or injury has its own code, which makes analysis easier and faster. But, the problem is that these codes are available through public databases and electronic medical records, and with this knowledge, this anonymized data can be still tied to the persons to whom it belongs.

To prove that this is a realistic problem, a research team form the Vanderbilt University in Nashville has conducted an experiment which resulted in 96 percent of the 2,762 patients belonging to the test group identified through diagnosis codes.

Scientific American reports that – as a solution to this problem – they introduced an algorithm that generalizes clinical information, but doesn’t interfere with the medical and genetic inter-data connections needed for research. The algorithm exchanges the publicly known ICD codes with an other code system.

They tested it by simulating a hacker attack, with the premise that the hacker is privy to the patients’ identity, their ICD codes and the fact that the patients’ data is included in the database. The test was completely successful – the hacker couldn’t uncover the patient’s private information, and the information remained useful for research.

Source

More than one in three (38%) of respondents are still failing to deploy any form of data leak prevention, whether that be device control, endpoint DLP or DLP appliances. Amongst small to medium sized business this figure increases to over half of organizations (54%), according to a survey by DeviceLock.

The survey also revealed that even those managers that are deploying technology solutions to prevent data leakage from within their organizations the majority are failing to protect all the possible channels where data leakage can occur.

In spite of the rapidly growing use of personal smartphones and PDA’s within business environments, less than half (48%) of all respondents who had deployed a DLP solution reported that they controlled the data synchronizations between employees’ computers and their smartphones.

Furthermore only a quarter (26%) of respondents that use DLP solutions are able to control the content of documents printed from corporate computers. This is despite the fact that a recent study published by the Ponemon Institute concluded that the document printing channel was found to be the most often used for stealing corporate data.

Key findings

77 % of respondents acknowledged that they monitor employees’ Webmail and social networking applications such as Facebook and Twitter to prevent data leakage, regardless of whether corporate or private accounts are used. Only 8% of respondents believe that privacy concerns are an obstacle for enforcing such controls, suggesting that concerns about security breaches override those of privacy.

The overwhelming majority of respondents (75%) stated that DLP solutions should support out-of-the-box components for full-text searching in their audit and shadow log database. The reason for this is clearly that full-text search capability reduces the labor and time expenses for security compliance auditing, incident investigations and forensic analysis for IT departments.

IT departments are becoming acutely aware of the need to keep costs arising from highly resource intensive processes – such as security compliance auditing, incident investigations, and forensic analysis to a minimum. Affordability and ease-of-use clearly remain significant barriers of entry for those responsible for protecting organisations,’ data especially amongst small to medium sized businesses.

Source