The most recent articles from Computing

Cotton Traders tightens credit card protections

Angelica Mari — 2008-11-20T11:26:00.000Z

Angelica Mari, Computing, Thursday 20 November 2008 at 11:26:00

Retailer deploys 'tokenisation' middleware

Clothing manufacturer Cotton Traders has increased customer payment data security to become compliant with the Payment Card Industry Data Security Standard (PCI DSS).

The company is deploying 'tokenisation' middleware which ensures that credit card details are replaced by a token held in a data depository kept separate from its SAP order-processing system.

"Customer security has always been at the top of our priorities. We want to ensure that our customers know we will manage their data safely," said Nick Turner, development manager at Cotton Traders.

Encrypted valid credit card data stored by the retailer prior to the new system has already been tokenised, said Turner, and information on expired cards has been wiped.

Cotton Traders is using a hosted system from Cybersource, which was chosen after an evaluation by SAP consultancy BizAps.

The retailer achieved PCI compliance in October, but lost thousands of customers' personal details earlier this year as a result of card-not-present fraud.

"In January 2008 we identified a security issue and immediately brought in industry experts to resolve the problem," the company said at the time. An anti-fraud unit backed by UK payments association Apacs has so far made one arrest in connection with the case, which remains under investigation.

The implementation of IT supporting the PCI DSS may be particularly challenging for businesses without a proper security and risk management policy in place, according to Mike Maddison, head of UK security and privacy services at Deloitte.

"Companies already struggle to assess where sensitive information is actually held even before any technical work is carried out," he said.

"That said, the complexity of security measures introduced to the IT setup of organisations working to comply with PCI regulations may disrupt business processes. That is one of the reasons why such projects have such a long time span."

NHS hospitals contract Mytob virus

Dave Bailey — 2008-11-19T12:10:00.000Z

Dave Bailey, Computing, Wednesday 19 November 2008 at 12:10:00

Worm wriggles into IT systems and does a bit of networking

The Mytob computer worm infected three major London hospitals yesterday, forcing them to shut down IT systems for at least 24 hours, and causing ambulances to divert to unaffected hospitals to avoid the 'manual systems' being used in the affected units.

A statement on the Barts and The London NHS Trust web site said that the internal incident arose from a computer virus which "overloaded its network".

"This has been a difficult day," said Julian Nettel, chief executive of the Barts and The London NHS Trust. "But by using back-up systems, manual procedures and working flexibly, we have continued to provide high quality care to our patients."

The London Chest Hospital, the Royal London Hospital and St Bartholomew's had to implement emergency procedures after the infection.

Andrew Clarke, international senior vice president at Lumension Security, said: "Much attention has been focused recently on data protection and controlling and managing removable devices such as USB sticks. However, the integrity of operations is still important and should not be overlooked."

The problem for the hospitals is that Mytob spreads to other systems using shared folders accessible over networked IT systems. The fact that the NHS Trust statement admits to an "overloaded network" shows that the virus was spreading to any system on that network.

So if sites remote to the initial infection were sharing folders, the virus could potentially spread to systems on the other side of the world, as well as those connected locally.

Mytob was first seen in March 2005 and, worryingly for the NHS, is not an unseen virus, normally called a zero-day threat. Mytob replicates by exploiting the so-called Local Security Authority Subsystem Service vulnerability, initially patched by Microsoft in 2004.

Mytob also opens certain ports, lowers security settings on affected systems and blocks security websites. It can prevent the Windows task manager from opening, stopping IT admins from checking and terminating the viral processes.

Public still vulnerable to web fraud

Tom Young — 2008-11-17T13:16:00.000Z

Tom Young, Computing, Monday 17 November 2008 at 13:16:00

Average individual loss reaches £14,500 per incident

A successful fraud attempt on the average working adult is worth some £14,500 to online criminals, who can empty current and savings accounts and credit cards quickly and easily once they have gained access, according to a report published today.

The report from government online security initiative Get Safe Online also found that most UK citizens do not have the right internet security controls in place to prevent such attacks.

Getting the right protection is easy, according to Tony Neate, managing director of Get Safe Online. "If internet users invest a relatively small amount of time and money in ensuring that they are fully protected and up-to-date, the risk of such financial loss is almost negligible," he said.

"To install the essential software and learn about the key safety measures on the Get Safe Online website takes a matter of a few hours, a small but worthwhile inconvenience compared to the potential loss."

The Get Safe Online report, published today, shows that almost half (48 per cent) of UK internet users are still not updating their anti-virus software frequently enough to make it effective.

And almost a quarter (23 per cent) do not have any anti-spyware protection, while nearly half (47 per cent) do not have website authentication software to protect against phishing attacks.

The report warned that the number of phishing attacks is rising sharply, and that 23 per cent of UK internet users surveyed said that they, or someone they knew, had fallen victim to such an attack this year, compared to just eight per cent in 2007.

Figures released in October by UK payment service Apacs showed that online banking fraud losses totalled £21.4m during the six months to June 2008, a 185 per cent rise on the 2007 figure.

Home Office minister Alan Campbell claimed that the government is taking e-crime seriously. "That is why we recently announced a new £7m police unit dedicated to tackling cyber-crime and clamping down on internet fraud," he said.

Origo rolls out Trend Micro email security

Phil Muncaster — 2008-11-13T14:33:00.000Z

Phil Muncaster, Computing, Thursday 13 November 2008 at 14:33:00

Advanced encryption techniques protect sensitive data

UK financial services body Origo is investing in email security technology from Trend Micro to enable secure email communications for its roster of life insurance and pensions firms.

After an intense due diligence process, the organisation had piloted Trend Micro's Email Encryption suite of products at Norwich Union and Skandia and their networks of independent financial advisors. The pilot will now be extended to a full-scale industry solution.

The technology uses advanced encryption techniques to protect sensitive data in emails, thus enabling highly regulated financial services firms to comply with industry requirements and deliver emails securely, according to Trend Micro.

"Traditional email and paper-based communications are no longer sufficient or cost effective," said Origo managing director Paul Pettitt.

"By deploying Trend Micro Email Encryption, financial organisations and independent financial advisors can feel confident that emails containing sensitive data are communicated in a cost-effective, fast and, most importantly, secure way."

Data losses hit 280 million people

Tom Young — 2008-11-07T10:46:00.000Z

Tom Young, Computing, Friday 7 November 2008 at 10:46:00

Sixty million are the victim of hacking while the rest are accidental, says KPMG study

More than 280 million people worldwide have lost personal details because of data breaches in the last three years, according to a KPMG study.

Almost half (46 per cent) of cases had no password protection or encryption, while nearly two thirds (62 per cent) were cases of data being lost rather than stolen.

Better procedures are needed in the public and private sector, according to Malcolm Marshall a partner at KPMG.

“Finding possible leakages and ensuring internal procedures with clear definitions are in place will reduce companies’ risk of becoming a victim of data loss," he said.

"Policies and controls should be continually reviewed due to changes in technologies, processes and personnel.”

The public sector was responsible for 19 per cent of data losses with education and healthcare being the most vulnerable sectors.

Fourteen per cent of losses were in financial services, which is among the most targeted industries by those looking to steal data.

Hacking accounted for more than 60 million victims of data loss between 2007 and 2008.

During 2007, 62 per cent of all people affected by hacking were the victims of three major incidents, including the intrusion into the computer systems of TJX Companies in the US, owner of retailer TK Maxx.

NHS trust guards against further data loss

Rosalie Marshall — 2008-11-04T16:49:00.000Z

Rosalie Marshall, Computing, Tuesday 4 November 2008 at 16:49:00

NHS Lothian implements access controls

NHS Lothian is ramping up the patient information security following a recent data loss incident.

The Scottish Trust is implementing access management security from Lumension Security to restrict network access to approved devices. This is being complemented with end-point control technology from Becrypt.

“Recent well-publicised incidents have highlighted the need to ensure that ICT systems are robust and offer the proper levels of security and that regular staff training is conducted to ensure the proper management of patient records is adhered to,” said Martin Egan, NHS Lothian eHealth director.

Earlier this year, an employee at NHS Lothian lost a USB memory stick containing sensitive information, potentially including sensitive data on 137 patients.

The Becrypt product is an end-point control solution that stops prevents the unauthorised copying of data on to plug-in devices.

The Lumension solution works similarly and will also encrypt all approved devices, including USB drives, CDs and DVDs.

It will also provide the Lothian eHealth Department with an in-depth list of all the devices that have attempted to connect to the network, including those by unauthorised users.

The trust’s long-term ICT partner, Northgate Information Solutions, conducted the review of security protocols and helped the trust implement the security solutions.

The system had to give the IT team "complete control over what users can access and what information can be transferred to portable storage devices while providing the necessary flexibility to ensure end user satisfaction,” noted Egan.

IT leaders call for tougher e-crime penalties

Phil Muncaster — 2008-11-03T14:55:00.000Z

Phil Muncaster, Computing, Monday 3 November 2008 at 14:55:00

Survey reveals widespread cynicism about government response

Electronic crime is still not being taken seriously enough by the government, and stricter penalties should be enacted for those convicted, according to research from blue-chip user group The Corporate IT Forum (Tif).

The organisation's survey suggests that 69 per cent of members had experienced an increase in intentional e-crime, and that 68 per cent of companies now spend up to 40 per cent of their security budgets protecting against cyber-crime.

The survey also highlighted growing scepticism of the government's response to this increase in e-crime.

"We are calling on the government to wake up a little in dealing with this, so we've called for the appropriate deterrents and penalties," said Ollie Ross, head of research at Tif. "At the moment the risk of getting caught is simply not great enough."

Around 48 per cent of respondents gave their highest level of support to " consistent and appropriate penalties for cyber-criminals and cross-border e-crime legislation", according to the research.

The newly-created Police Central E-crime Unit was given a tentative welcome, but there is still a "certain level of cynicism" from Tif members over the poor funding and resources that look set to be invested in the unit, said Ross.

"It is clear from the survey that there is a growing confidence that [our members] are getting to grips with lapses and dealing with anything accidental, by staff training, encryption policies and so on," she said.

"What they can't do is deal with criminal activity, and they feel it is not seen as terribly important by the government."

Government Gateway secured and back online

Tom Young — 2008-11-03T10:07:00.000Z

Tom Young, Computing, Monday 3 November 2008 at 10:07:00

Weekend loss of site information caused temporary shut down

The Government Gateway web site that allows businesses securely to interact with Whitehall services has reopened after the most recent government data loss forced the site to close for 24 hours over the weekend.

A memory stick was found in a pub car park that contained access passwords for the site, as well as some source code.

The £18m site, which is run by the Department for Work and Pensions, is part of the joined-up government initiative and allows businesses and citizens to pay taxes and access other government services online.

The USB memory stick was lost by an employee of supplier Atos Origin, which won the five-year, £46.7m contract to manage the web site in 2006.

The storage device was found two weeks ago outside a branch of the Brewers Fayre pub chain in Cannock, Staffordshire. It was handed to the Mail on Sunday, which handed it on to police.

The Gateway service was taken down as a precaution on Friday night before reopening on Saturday evening.

A DWP spokesman said that the department is certain that the security of the gateway has not been compromised. The department has examined the stick and found that the information provides no risk of compromise.

"On the basis of an initial examination of the contents of the memory stick, it is our experts' opinion that the contents would not allow anyone to breach the very strong security safeguards protecting the web site," said the spokesman.

The memory stick loss and consequent Gateway closure have raised further questions over the planned ID cards scheme, said the Liberal Democrats.

"Why should we trust the government with our details for its database or ID cards system when they simply cannot be trusted with information? These data losses are becoming almost weekly?" Said spokesman Norman Baker.

Baker said it should have been "a basic security step" to ensure memory sticks containing sensitive information "simply don't exist".

Tory spokesman Nick Herbert said it was not good enough for ministers to sidestep blame and hold supplying firms responsible.

"The government contracts with these firms and ministers must therefore accept responsibility for ensuring that personal information will be handled properly," he said.

UK firms lead on security awareness training

Phil Muncaster — 2008-10-29T08:30:00.000Z

Phil Muncaster, Computing, Wednesday 29 October 2008 at 08:30:00

Certification can lead to costs savings, suggests research

UK organisations are spending more money on security training and certification programmes than their US, Canadian and Chinese counterparts, and are reaping the rewards through impressive cost savings, according to research from IT industry body CompTIA.

The survey found that UK businesses spend 18 per cent of their IT budgets on raising the security awareness of staff and see the highest cost savings - £3.3m as opposed to £1.6m in the US.

Reduced server or network downtime because of fewer serious security incidents and improved employee productivity were given as the main reasons why greater investments in security training led to higher cost savings.

But CompTIA's European vice president Matthew Poyiadgi warned that firms must not throw money at training programmes without thinking through a proper strategy first.

"Security training and certification is no different to any other type of training – a targeted approach that takes into account the business objectives, the trainee’s needs and the existing IT capabilities will always give better results than throwing money at a badly thought-out programme," he said.

TNS surveyed IT decision makers in 2024 businesses, including 413 UK companies. It covered six vertical markets manufacturing, finance and insurance, healthcare, government, professional services, and retail.

176 government data breaches took place in the last year

Rosalie Marshall — 2008-10-29T00:30:00.000Z

Rosalie Marshall, Computing, Wednesday 29 October 2008 at 00:30:00

Public sector beats private sector by more than two to one in reported security incidents

There were 176 recorded data breaches in the public sector in the past year, according to figures released today by the Information Commissioner’s Office (ICO). The private sector, by comparison, reported 80 cases.

Of those reported by the public sector, 75 were in the health sector, 28 by central government, and 26 by local authorities.

“It is alarming that despite high profile data losses, the threat of enforcement action, a plethora of reports on data handling and clear ICO guidance, the flow of data breaches and sloppy information handling continues,” said Information Commissioner Richard Thomas.

Thomas will use the figures to highlight the risks associated with large databases, to call for tougher sanctions, and to call on chief executives to take responsibility for all personal information an organisation holds.

Earlier this year, parliament decided the ICO should have the power to impose substantial penalties for reckless breaches and the commissioner is calling for this measure to be implemented as soon as possible so the threat of a fine can deter further losses.

The ICO has also requested an increase in the data protection notification fee for large organisations, which will increase its resources, and for more powers to undertake inspections and audits of data controllers.

“We have already seen examples where data loss or abuse had led to fake credit card transactions, witnesses at risk of physical harm or intimidation, offenders at risk from vigilantes, fake applications for tax credits, falsified Land Registry records and mortgage fraud,” said Thomas.

The number of breaches the ICO has been notified about will still fall short of the total, said Thomas.

He said that although storing personal information in databases can lead to benefits such as better customer service, improved efficiency, more effective law enforcement and protection of the vulnerable, it will always carry great risks.

“The more you centralise data collection, the greater the risk of multiple records going missing or wrong decisions about real people being made,” he said.

Experts call for better security education in schools

Phil Muncaster — 2008-10-28T16:38:00.000Z

Phil Muncaster, Computing, Tuesday 28 October 2008 at 16:38:00

Computing courses for kids need to provide more teaching on safe surfing

Security experts have called for IT security education to be made a major part of school computing courses, with greater funding allocated to ensure users learn how to surf and interact online safely.

Speaking at this year’s RSA Conference Europe show in London, Ken Silva, chief technology officer of VeriSign, said that financial institutions and online organisations such as PayPal are taking positive steps to improve the security education of their customers, but there is still a vacuum at school level.

“Kids are taught how to use computers, but not necessarily how to use them safely,” he said.

“There also needs to be an international campaign to educate users – we get government campaigns around seatbelt safety and smoking but not online security.”

Mark Stanhope, e-crime senior manager at Lloyds TSB, said that millions of pounds are spent on IT education, but only a fraction is allocated to information security.

“If nothing is done on this, then in 20 years’ time, we will be in exactly the same place,” he said.

Jamie Cowper, marketing manager of encryption firm PGP, said that educational resources such as Get Safe Online already exist, although perhaps they have not been publicised enough. He said security software is becoming more intuitive and easier-to-use by consumers, which will also help improve protection online.

“Encryption, for example, is not a consumer tool but it will be,” said Cowper. “The software-as-a-service model will help remove the complexity of security.”

NHS chooses Optenet for content security

Phil Muncaster — 2008-10-27T00:15:00.000Z

Phil Muncaster, Computing, Monday 27 October 2008 at 00:15:00

URL filtering solution will save IT administrators time and could improve productivity

NHS organisations in south west Yorkshire have invested in a web gateway security appliance from Optenet to protect the 11,000-plus users on their books and ease the management of web security for IT administrators.

Optenet was chosen by The Health Informatics Service (THIS), a healthcare information management and technology (IM&T) provider, on behalf of its client organisations, which include Calderdale Huddersfield NHS Foundation Trust, NHS Wakefield District, Southwest Yorkshire Mental Health NHS Trust, Calderdale Primary Care Trust and NHS Kirklees.

The infrastructure managers chose Optenet's Secure Web Gateway appliance partly because of its superior manageability, according to Steve Shaw, senior confidentiality and IM&T security officer at THIS.

THIS previously had no dedicated web filtering solution, which meant that IT administrators had to work retrospectively to find evidence of any non-compliant web usage, often spending several hours each week manually reviewing web usage, said Shaw.

"This method took a lot of time and didn't always provide credible evidence, so we decided we needed a URL filtering system," he explained.

The centrally managed appliance-based solution also gives THIS the ability to load additional modules for solutions like anti-spam, anti-virus and firewall protection in the future, he added.

"Because of the nature of our business, there is the potential to gain new customers or lose existing ones, so we wanted a solution that could be scalable in both directions, and we felt Optenet helped us achieve this," said Shaw.

Councils agree to join secure email network

Tom Young — 2008-10-22T17:10:00.000Z

Tom Young, Computing, Wednesday 22 October 2008 at 17:10:00

The promise of extra funding and expert advice should ensure most councils meet next April’s deadline to join Government Connect

Government Connect (GC), a £33m programme to extend central government’s secure email network to local councils, passed two very significant milestones last week.

First, the scheme has identified areas where savings can be made, allowing it to pledge £2.25m to assist local authorities to connect to the network.

Second, all 410 local authorities in England and Wales have agreed to sign up – a major step as many were struggling with the cost of getting connections in place.

GC is important because it will allow local authorities and central government to exchange information securely over a private network rather than the internet – increasingly crucial for government at a time when every week brings a new data loss story.

Getting the scheme up and running will improve the efficiency of information exchange in the public sector, said programme director Philip Littleavon.

“What councils are beginning to latch on to is that they can set up one secure account and use that for everything,” he said.

Councils need to be connected to the system by April next year, otherwise they will be unable to exchange data with the Department of Work and Pensions (DWP), although those that think they will miss the target can submit a request for a six-month extension.

Littleavon said the “vast majority” will meet this date, though some had already requested extensions.

The scheme – now eight years old and still unfinished – has had a chequered history and has been a source of conflict between central and local government.

A complex code of connection has made it difficult for some smaller local authorities without the necessary IT resources to connect.

It has not helped that central government responsibility for the programme has been shunted round various different departments – the Department for Communities and Local Government, the Cabinet Office, and finally the Department for Work and Pensions, where it remains now, chiefly because the bulk of information that will be transferred over the network will relate to benefits distribution.

Littleavon hopes the extra funding and a panel of experts put in place to provide local authorities with best practice will counter claims thatcentral government was imposing over-strict deadlines and not doing enough to help councils comply.

As well as connecting authorities to central government, the programme will also allow councils to securely exchange data with the N3 national health network, criminal justice, trading standards and police systems. These connections will not go through central government but directly into the systems themselves, allowing councils to share sensitive information on police, asset recovery and judicial operations in a secure way.

“Upper-tier councils provide some of this information to health and law enforcement authorities now in a less secure way than is ultimately desirable,” said Littleavon.

The latest developments are welcome, but more needs to be done, according to Richard Steele, president of public sector IT association Socitm. “We welcome the new leadership and the increased assistance from central government,” he said. “However, we want a vision for security where the entire public sector is on one infrastructure rather than a series of connecting infrastructures, and we’re working with government to try and articulate that message.”

The scheme will also help councils meet a local government version of the data handling review, put together by the Local Government Association (LGA), according to Stephen Jones, director of finance and performance at the LGA.

“In the wake of recent data loss incidents and concerns that the public are losing their trust in government’s ability to secure personal information, the guidelines will help councils meet their responsibilities,” he said.

“The guidelines complement and support the role that Government Connect can play in this.”

A third of companies are not reviewing IT security policies

Tom Young — 2008-10-16T18:12:00.000Z

Tom Young, Computing, Thursday 16 October 2008 at 18:12:00

And less than one in three executives are confident of effective security

Almost a third (30 per cent) of companies have neither measured nor reviewed the effectiveness of their information security policies over the past year, according to a survey by PricewaterhouseCoopers (PwC).

And less than one in three said they were very confident that their information security was effective while even fewer, less than one in four, felt very confident about the effectiveness of their suppliers’ or business partners’ security.

"There appears to be an overall misalignment with executive management’s view of security, causing many organisations to fail to capture the full value from their spending in this area," said William Beer, director in the information security group of PwC.

"Information has become the new currency of business. Its availability, integrity and confidentiality are crucial components of a collaborative business.”

And firms have still not cottoned on to the fact that security is about people as much as technology, a key finding of a PwC report for the government earlier in the year.

According to the survey, employees and former staff were together responsible for 41 per cent of incidents.

“One of the best ways of improving security across a business is to match technology investments with a commitment to other key drivers - the critical business and security processes that support technology and the people that administer and use them," said Beer.

The consequences of UK incidents were financial losses (40 per cent), fraud (28 per cent) intellectual property theft and brand/reputation compromised (both 25 per cent). Some 13 per cent of the incidents cost UK companies between $100,000 and $500,000 (£57,000 to £287,000) each.

Evaluating the security of third party providers was seen as the most important factor to keep in mind for the future.

The survey polled 7,000 information technology executives from 119 countries.

Recession fails to dent security spending

Phil Muncaster — 2008-10-15T14:38:00.000Z

Phil Muncaster, Computing, Wednesday 15 October 2008 at 14:38:00

Ernst & Young survey predicts investments to remain strong

The economic downturn is unlikely to affect investment in information security, according to the 2008 Global Information Security Survey by consultancy Ernst & Young released today.

The report predicted that, while IT is traditionally one of the first functions to see budget cuts, this is not the case with information security.

Only five per cent of respondents intend to reduce annual IT security spending, while 50 per cent plan to increase investment in this area as a percentage of total expenditure.

However, to make the most of their investments in security, companies are advised to establish a clear information security strategy and an integrated risk management approach.

""The economic climate has been challenging for a number of months, so it was a pleasant surprise that security seems to be important enough," said Sheila Upton, director of technology and security risk services at Ernst & Young.

"We'd certainly caution people in times of economic uncertainty that there is usually an increase in crime – so it's not the time to be cutting security."

The survey also revealed that international industry standards like ISO 17799 are gaining greater acceptance, but that a worrying third of firms do not perform any security assessment of the third parties with which they share information.

Ernst & Young found that brand and reputation protection returned to the top of the priority list for chief security officers, 85 per cent of whom said that damage to brand is the most significant consequence of a data breach.