Category: IT Security

West Berkshire Council is taking remedial action after the Information Commissioner’s Office (ICO) found it in breach of the Data Protection Act (DPA) following the loss of a USB stick containing the sensitive personal information of children and young people.

The details, said to be of ‘a handful’ of children, would be available to anyone finding the memory stick, which was unencrypted and not password protected.

The ICO found that unencrypted devices, in operation before the council introduced encrypted memory sticks in 2006, were still being used by members of staff. Further enquiries revealed staff had not received appropriate training in data protection issues and monitoring of compliance with the council’s policies was found to be inadequate. This is the second data security incident reported by West Berkshire Council within six months.

Nick Carter, Chief Executive of West Berkshire Council, has now signed a formal Undertaking to ensure that portable and mobile devices used to store and transmit personal data are encrypted.

Sally-anne Poole, Enforcement Group Manager at the ICO, said: “It is essential that organisations ensure the correct safeguards are in place when storing and transferring personal information, especially when it concerns sensitive information relating to children. A lack of awareness and training in data protection requirements can lead to personal information falling into the wrong hands. I am aware that staff have been provided with encrypted USB sticks since 2006 but older devices were not recalled…”

A German court has fined a man for failing to secure his home wireless internet access point which was used to download music without the copyright holder’s permission.

Wireless networks are common in most homes nowadays, providing wireless connection to the Internet through the home owner’s connection. Leaving this network without security can be like leaving your front door unlocked.

Anybody in the vacinity can access your Internet connection, the files folders and shared devices, and can download illegal material at their convenience. This could be avoided if the Cricket Wireless APN or similar options were configured.
The owner of the network was able to prove that he was on holiday at the time, but Germany’s federal high court of justice said that the owner had to bear some responsibility for the actions of a third party using their system.

“Private users are obligated to check whether their wireless connection is adequately secured to the danger of unauthorized third parties abusing it to commit copyright violation,” the court said, according to news agency Associated Press (AP).

“It is vital that all owners of a wireless network make sure it is secure. Failing to do this can have catastrophic consequences on the owner of the network” Stuart Gilbertson, Managing Director of Consider IT went on to say “When you fail to secure your network, you give all users the ability to access your Internet connection, your data, and probably your files. With the right equipment and know-how, they can watch what you’re doing on the Internet with ease”.

A number of clients and us included have recently received an email pertaining to be from iTunes congratulating the recipients for winning a $50.00 Gift Certificate.

Please be warned: THIS IS A VIRUS!

The email body contains the following:

Hello!
You have received an iTunes Gift Certificate in the amount of $50.00 You can find your certificate code in attachment below.
Then you need to open iTunes. Once you verify your account, $50.00 will be credited to your account, so you can start buying music, games, video right away.

iTunes Store.

The email contains an attachment ZIP file which contains the executable iTunes_certificate_247.exe file. When run, the executable modifies your registry and creates files in specific directories. So please don’t do it.

At time of writing, AVG did not recognise the .exe file as a vulnerability.

Consumers and IT support personnel around the country found themselves in a nightmare situation this afternoon; at best, their Windows XP-based machines simply couldn’t connect to a network, but more often than not were stuck in an endless loop of reboots.

The update, labeled 5958, causes McAfee to misidentify svchost.exe (an essential Windows system file) as a piece of malware and delete it. The official statement from McAfee indicates that the flaw only effects Windows XP machines with SP3, and results in “moderate to significant performance issues.” Of course, reports from around the Web indicate this affects systems that are only up to SP2. And calling an endless cycle of reboots a “performance issue” is a bit of an understatement.
There are unconfirmed reports that the flaw has taken out banks of systems at Intel and Dish Network, and the New York Times is reporting that dozens of PCs at the Illinois State University in Normal were taken out as well.

McAfee has released a “fix” for the problem that really only suppresses the issue and doesn’t directly address the false-positive issue. The fix also requires that a technician individually visit and repair any affected system, meaning that it may be a long night for support staff at companies and institutions who turn to McAfee for their virus protection.

The Information Commissioner’s Office (ICO) has found Warwickshire County Council in breach of the Data Protection Act (DPA) following the theft of two laptops and the loss of a memory stick.

The laptops, which were unencrypted and not physically secured or locked away, were stolen from council offices. They held sensitive personal information relating to a number of pupils and members of staff from two schools. The council also reported a separate incident to the ICO, involving the disappearance of an unencrypted memory stick holding a small amount of personal data relating to children attending an education centre.

Sally-anne Poole, Head of Enforcement & Investigations at the ICO, said: “It is essential that organisations ensure the correct safeguards are in place when storing and transferring personal information, especially when
it concerns sensitive information relating to children. A lack of awareness of data protection requirements can lead to personal information falling into the wrong hands.

The Information Commissioner’s Office (ICO) has found St Albans City and District Council in breach of the Data Protection Act. A laptop was stolen which was used to store postal voters’ records as part of an election process in June 2009.

The personal information, which was password protected but unencrypted, remained on the laptop when it was no longer required. At a later date it was left unsecured on a desk until it was discovered missing on 5 November 2009 along with three other laptop computers belonging to the council.

Sally-anne Poole, Head of Enforcement & Investigations at the ICO, said: “When organisations store large volumes of personal details on portable computers, encryption is essential. They must ensure staff and contractors are trained to handle personal information securely to avoid the risk of information falling into the wrong hands. It is also crucial organisations don’t keep personal information for longer than is necessary.”

Anyone who processes personal information must comply with eight principles, which make sure that personal information is:
• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with your rights
• Secure
• Not transferred to other countries without adequate protection

The Information Commissioner’s Office (ICO) has found Zurich Insurance plc in breach of the Data Protection Act after it lost an unencrypted back-up tape containing financial personal information belonging to 46,000 policy holders of Zurich Private Client, Zurich Special Risk and Zurich Business Client, which are all part of Zurich Insurance plc.

The back-up tape, which also included personal details of 1,800 third parties, was lost by a sister company, Zurich Insurance Company South Africa, during a routine transfer to a data storage centre in South Africa. The data loss occurred on 11 August 2008 although the sister company did not inform Zurich Insurance plc until over a year later. Subsequent internal investigations revealed failings in the management of security procedures involving data tapes in South Africa.

Sally-anne Poole, Head of Enforcement & Investigations at the ICO, said: “It is vital that organisations ensure effective safeguards are in place to protect personal information. Failure to adequately protect personal details could lead to information falling into the wrong hands and ultimately the loss of customers’ trust and confidence…”

On Wednesday, Reuters reported that a new password stealing virus is working its way through the Internet targetting Facebook users.

Hackers flooded the ‘net with spam messages that are targetting Facebook’s estimated 400 million users in an attempt to steal your personal information.

The email message tells its recipients that the passwords on their Facebook account have been reset, urging them to open an attachment to obtain new login details. Consider IT warns all readers NEVER to open unknown attachments!

A Facebook spokesman said the company could not comment on the specific case, but pointed to a status update the company posted on its website earlier on Wednesday. This update warned users about the illicit email and advises users to delete it immediately.

The email’s subject line says “Facebook password reset confirmation customer support,” according to Dave Marcus from McAfee.

The Information Commissioner’s Office (ICO) has found that the Royal London Mutual Insurance Society breached the Data Protection Act (DPA) after eight laptops, two of which contained the personal details of 2,135 people, were stolen from the company’s Edinburgh offices. The individuals affected were employees of various firms which had sought pension scheme illustrations.

The two laptops containing personal information were unencrypted but were password protected. An internal report established that the company was uncertain about the precise location of the laptops at any given time and that physical security measures were inadequate. The report also revealed that managers were not aware that personal information was stored on any of the laptops, which meant no additional precautions to control and secure the data had been taken.

Mick Gorrill, Head of Enforcement at the ICO, said: ”It is crucially important that portable devices such as laptops containing personal information are properly protected. It is particularly concerning that the organisation was unaware of the whereabouts of the laptops at any given time or what information they held. All staff members should be fully aware of the policies and procedures in place to safeguard personal information and should be appropriately trained.

Facebook users have been warned that a “who viewed my profile” application is indeed a scam and does not genuinely show you who has looked at your profile at all.

Rik Ferguson, a senior security consultant at Trend Micro, warns he has already identified 25 different copies of the same rogue app but using different monikers such as peeppeep-pro, profile-check-online and stalk-my-profile.

Some of the Facebook Applications even offer a photo montage of the aleged visitors to your profile – these are fake and it simply randomly selects a group of your known friends and shows them in the image.

“The app itself is designed to look convincing enough, but none of the many ‘Continue’ buttons it offers will activate some under-the-counter profile checking functionality – they will just push you into another Facebook app earning the scammer advertising revenue in the process,” Ferguson explains in a blog post containing screenshots illustrating the scam, which resurfaced over the weekend. “There is no officially sanctioned Facebook functionality that will allow you to view who has been checking your profile.”

As always, TheRegister has a full report here: http://www.theregister.co.uk/2010/03/15/facebook_profile_stalk_scam/

At Consider IT, we want all our clients, customers and readers of our blog to remember not to install Applications you don’t trust. If something looks suspicious, then chances are it’s a scam. Err on the side of caution and ask yourself if you really want this unknown Application on your Facebook profile.

At the time of posting, Facebook have taken action to remove the offending Applications from their services.