If the annual Motorola AirDefense Retail Shopping Wireless Security Survey is to be believed, retailers are still not up to speed with how to protect their core assets.

The mobile giant used its AirDefense technology to scan the airwaves at major shopping centres for the presence of wireless networks, and to evaluate which - if any - wireless data security practices were currently in use.

Over 4,000 retailers were evaluated in some of the busiest shopping cities in the world, according to Motorola, and the bad news is that 44 percent of the wireless devices used by them - including laptops, mobile computers and barcode scanners - could be compromised.

Now, this is a pretty poor show, but some progress is being made; last year the figure was 85 per cent.

But most pressing for all those retailers surveyed, and all the rest out there, will be compliance to the new version of industry standard the PCI DSS, 1.2, which prohibits use of the now-debunked WEP encryption protocol for wireless data encryption.

According to the Motorola research, 32 per cent of access points surveyed were unencrypted, compared to 26 per cent last year, and a further 25 per cent were still using WEP.

Given the hefty fines and press attention now being focused on firms found to have lost customer data, shoring up this weak point should become a priority for vendors

January 29, 2009 | Permalink | Comments (0)

In another startlingly self-serving but amusing piece of research, Credant Technologies - the firm which provides endpoint data protection including encryption - has worked out that 9,000 USB sticks were left in people's pockets last year after they took their clothes to the dry cleaners.

Now guess what you can do to prevent this from being a problem? Well, invest in some encryption technology that would render the data left on a lost USB unreadable. Or perhaps assign endpoint data protection technology in your enterprise which would prevent users from downloading sensitive data to their USBs - both of which solutions presumably Credant sells.

The firm claims 9,000 USBs were lost last year; except they weren't really. It interviewed 500 dry cleaners, who on average found 2 USBs over the course of the year, and then extrapolated the figures out among the 4,500 dry cleaners operating in the country, according to the Textile Services Association.

This follows similar dubious research by the firm last September conducted amongst London cab drivers, which showed that 6,193 handheld devices such as laptops, iPods and memory sticks are forgotten at the back of taxis every six months. These figures were 'guesstimated' in the same way. Take ths story with a large handful of salt then ... but at least try and remember to empty your pockets before taking them to the cleaners.

January 19, 2009 | Permalink | Comments (0)

News surfaced yesterday that a new Information Commissioner is to be appointed, when current chief Richard Thomas steps down. According to the reports, Justice minister Jack Straw has recommended current Advertising Standards Agency chief Christopher Graham for the job, and although it apparently still has to be ratified by Commons select committee MPs, the ICO is already saying Graham will be its new leader.

It is widely believed that Thomas will retire at the end of June, and although his replacement has voiced the usual "keen to take on this new challenge" and "one of the best jobs in the world" platitudes, he will be a little nervous about filling the big man's shoes.

For one thing, Graham will need to keep a higher profile than he does at the ASA. Thomas did a great job of lobbying for more powers through his frequent outspoken tirades on the erosion of privacy and data protection laws; it took a while but he eventually managed to get them, at the tail end of last year.

Often so-called 'watchdogs' are little more than a toothless annoyance for industry and the government; but a lot of the ground work has already been laid by Thomas to ensure this is not the case, and Graham will do well to keep pushing the ICO onwards in the same vein. One major legislative matter he may have to deal with is the possible introduction of data breach notification laws at an EU level, to which Thomas has voiced his opposition in the past.

January 14, 2009 | Permalink | Comments (0)

More details are emerging about the man behind the recent celebrity Twitter attack everyone seems to be talking about. In case you had missed it, a hacker managed to post fictional feeds from various celebrity Twitter feeds, including CNN anchorman Rick Sanchez, Barack Obama and Britney Spears.

As Mikko Hyppönen of content security vendor F-Secure explained, it was first thought the hacker in question - a teenager known as GMZ - had directly attacked high profile accounts, but this was not actually the case.

GMZ actually used a combination of cunning, luck and technology to do his dirty work. He first targeted the account of a random, popular Twitter user, using an automated password guessing tool to get her password. Once in, he found she was actually a Twitter staffer who had access to the Twitter admin control panel - from then on it was easy to access any account he wished by resetting the passwords.

Some have cautioned that the Twitter staffer who was hacked should have used a more difficult password to crack than 'happiness', but the real fault surely lies with Twitter administrators, in letting the system allow an unlimited number of quick-fire log-in attempts.

"I feel it's another case of administrators not putting forth effort toward one of the most obvious and overused security flaws," GMZ wrote in an IM interview with the Threat Level blog. "I'm sure they find it difficult to admit it."

In the end, Twitter is pretty lucky this time that it was only embarrassed by a script kiddie. Next time, the hackers may be motivated by more malicious intent.

January 7, 2009 | Permalink | Comments (0)

Any right-minded IT professional reading the headline China to 'clean up' the internet could be forgiven for thinking at last that the government of the world's next great superpower has finally got tough on cyber criminals. The truth, sadly, is slightly more predictable.

Yes, the Chinese authorities have announced they are to get tough on sleaze, and get tough on the causes of sleaze, by punishing any web sites they deem to be displaying inappropriate or 'unhealthy' content. They've already published the names of 19 sites which have so far failed to get rid of such material and warned that these could even be shut down in the future.

Now this sort of behaviour would be deemed rather harsh if it wasn't the Chinese government in question, which has a pretty terrible record when it comes to web censorship. But what may really smart for the site owners in question, is the fact that the same government openly backs cyber espionage activities, carried out against its perceived enemies by amateur hacking groups. According to Rick Howard, director of intelligence at iDefense, these groups even wear military-style uniforms.

At present, Chinese firms are not under nearly the same sort of pressure from hackers trying to breach their defences and steal valuable IP and customer details as their western counterparts. But when they do begin to feel the heat, it will be interesting to see whether their government takes more action than trying to remove a few racy images of bikini models from the internet.

January 6, 2009 | Permalink | Comments (0)