IP Wars: Who’s The Real Enemy?

Thanks to the blackout of Wikipedia and the efforts of Google and Facebook, the federal bills known as SOPA (Stop Online Piracy Act) and PIPA (Protect IP Act) have been put on the back burner for revision. The actions last month by the three websites generated millions of protest emails against the controversial legislation. But as unpopular as the bills are because of their perception as going against the spirit of keeping the Internet free and open, the problem of stolen goods continues to be pervasive.

Knock-off bogus products make the world go round to the tune of $135 billion, the amount of sales attributed to counterfeit goods sold online. I admit that not a day goes by when I’m not tempted to buy a darling Coach bag for $49. The only thing stopping me is that the offer comes wrapped in spam (and a potential payload of malware).

Findings published in 2007 by the 30-nation economic forum OECD claim that losses from the international trade in counterfeit and pirated products total $200 billion. What’s shocking is that this total does not include pirated products distributed over the Internet.

Initially, Massachusetts and New England-based companies such as Bose, ESPN, New Balance and Timberland supported SOPA and PIPA. Now, many organizations have turned their backs on SOPA to align with Internet giants that have no intellectual property to worry about losing. How would you feel about this legislation if pirates stole your IP and resold it for profit?

Let’s be clear on one provision: The bills never aimed to shut down a U.S. website because of its links to piracy sites that infringe on copyrights. The bill would simply ask that site to remove links to rogue sites that courts find to be peddling contraband.

The Business Software Alliance, an anti-piracy group supported by the likes of Apple and Microsoft, as well as several Massachusetts companies, supported SOPA but stressed in a November blog post how “much work remains ahead” for Congress to review it. Last year, the BSA filed an eye-opening study on the problem that said emerging economies “have become the driving force” behind software piracy, which jumped 14 percent in 2010.

And real jobs are at stake. In May 2011, the Federal Trade Commission stated: “U.S. firms in the IP-intensive economy reported that an improvement in China’s (intellectual property rights) protection and enforcement to levels comparable to the United States’ would likely increase employment in their U.S. operations by approximately 923,000 jobs.”

Whatever happened to our trust in a government designed to protect its people?

Granted, the public’s initial response to laws perceived to even hint at Internet regulation will be negative. Many protests to the bills were irresponsible and opposed these piracy rules based on exaggerated claims behind their potential enforcement. We should break our habit of seeing the government as the bad guys, then get a grip and face the real bad guys: online pirates that don’t play by the rules.

By Michelle Drolet, founder and CEO, Towerwall

This article was recently published in Worcester Business Journal

Can you stamp out spambots? No, but you can help

The headline reads, “FBI warns of new malware targeting bank accounts,” but it could just as well say, “More new victims born from opening emails.”

From the simple act of opening an email and clicking on an attachment, the victim’s username and password to their bank accounts are stolen by a process called keylogging, where the info is presto, logged directly from your very fingers as you type in your credentials.

What’s scary is that bogus emails can appear to come from someone you know is a legitimate sender. One of today’s newest malware variants is called Gameover, and the email transporting the trojan is seemingly sent from the Federal Reserve Bank or the FDIC. Gameover is a modified version of the infamous Zeus malware that never seems to die.

Cyber criminals have grown in sophistication, on par with the largest of organized crime rings.

But let’s keep in mind that companies of all sizes are actively taking part in these schemes. I say “actively” because they are aiding and abetting the proliferation of spam botnets, or spambots, without awareness.

Nearly everyone complains about spam, but how many people know that their own PCs are most likely responsible for sending it? Designers of spambots create malware that converts the PCs of unsuspecting internet users into spam-generating zombies. By using a fraction of processing power from thousands of PCs daisy chained together, these spambots manage to send billions of unwanted emails without the PC’s owner ever noticing.

A recent example is Rustock. One of the world’s largest spambots, Rustock, which has been shut down, infected more than one million PCs and generated 30 to 44 billion unwanted emails — about 48 percent of all the junk messages sent, according to security company Symantec. Yet few have heard of it.

From individual home users to Fortune 500 companies, countless web citizens are being affected daily.  But unlike widely publicized exploits of yore (remember the ILOVEYOU and Melissa worms?), today’s spambots prefer to operate in the dark. They actively avoid publicity so the average person doesn’t know about them and therefore won’t be looking to detect and eradicate them.

Many attack methods successfully avoid detection by traditional security mechanisms. That’s because new detection avoidance schemes are increasingly sophisticated. Like something organic and Darwinian, malware can have the power to continuously mutate, changing its signature in the process.

Attackers work to avoid creating recognizable patterns. Often, intruders install backdoors for easy re-entry. There seem to be limitless ways of eluding detection.

Heuristics and fuzzy logic tools may be an improvement, but they are a far cry from meeting the detection needs of most organizations. All of this begs the question, what steps can you take to prevent your organization from becoming the target of an attack? Is there any way to stamp out spambots?

Probably the best way is to put into place a regular vulnerability testing program to identify weaknesses and quickly address those found. These systems basically scan computers and networks to sniff out holes much like professional hackers do. They find backdoors typically left open and unnoticed by other methods.

By conducting regular internal and external vulnerability testing to identify weaknesses, set priorities, and monitor remediation results, your organization will be in a better position to ward off the bad guys.

By Michelle Drolet, founder and CEO, Towerwall

This article was recently published in SC Magazine

Loss Of Customer Personal Information Damages Banks’ Credibility

On Jan. 5, federal law enforcement seized several automobiles worth about $100,000 in value. They had belonged to the former president of the Massachusetts Bank and Trust Company and were taken as restitution for his defrauding the bank in 1997. It seems that not a day passes by when news of banking-related fraud, money laundering, or a privacy violation is reported.

Last year in May, Bank of America sustained a $10-million loss when an insider sold the bank’s customer data to organized criminals who then committed fraud against the bank’s customers. Thanks to a former associate, the scammers obtained names, addresses, Social Security numbers, phone numbers, bank account numbers, driver’s license numbers, birth dates, email addresses,
mother’s maiden names, PINs and account balances.

All organizations depend on information. Confidential information – sales leads, customer accounts, trade secrets, intellectual property (IP) – gives you the competitive edge. If that information is stolen or misused, however, your competitive edge can evaporate and your reputation and balance sheet can take a major and potentially fatal hit.

Lax Monitoring
Regulated information – such as credit cards, personal and financial information – is frequently the target of attacks. Theoretically, this data is protected by U.S., state and federal regulations that require strong security controls. The reality, however, is that many businesses are not fully compliant with these regulations. Or, they may believe they are – with all the right policies in place, but lax or no monitoring or enforcement.

It doesn’t matter how regulated data is lost – whether a hacker steals customer data, or a well-meaning employee loses a laptop or other portable device containing sensitive data. Whatever the cause, the loss of regulated information amounts to a reportable data breach.

Recently enacted state and federal regulations mandate security breach reporting if it involves customer or employee personally identifiable information (PII). But the increase in breaches can’t be accounted for by increased reporting alone.

Key Chains To Disaster
We’ve all seen it: Critical information is backed up on USB drives that dangle at the end of key chains. Employees increasingly depend on devices that IT has little or no control over, such as smartphones, tablets and MP3 players. Users often back up sensitive data to these gadgets – and often fail to encrypt it, compounding the impact of its loss. Some banks prohibit employees from using USB drives, but most have no formal policy in place.

Tangible losses are those for which we can calculate a cost. But intangible losses – particularly the loss of trust – can’t be fully measured. Trust takes time to build. And it can be wiped out in an instant when a trusted organization loses or misuses the personal information that has been entrusted to it. This is particularly true for customer information loss.

The loss of any information – whether internal confidential communications, customer and employee information protected by regulations, trade secrets or intellectual property – is costly in tangible and intangible ways.

Even if your organization doesn’t outsource, you’re still at risk for a more common type of insider attack – customer information theft. Bank of America, JPMorgan Chase, UBS AG, Wells Fargo and General Electric have publicly acknowledged that former employees engaged in illegal activity. The companies have paid a combined $743 million in restitution and penalties.

Gray Area
Unlike piracy or patent infringement, customer information theft exists in a legal gray area. In many states, non-compete and non-solicitation agreements favor the organization. But in some states non-compete clauses are not enforceable. The employee can retain the relationship so long as it doesn’t involve any solicitation. These terms and conditions are nearly impossible to enforce.

When departing employees take sensitive organizational data with them as they leave, the potential for negative consequences is enormous. If you suspect an employee has improperly taken customer information, you need a strong forensic process and tools in place, as well as policies that prevent, for instance, the re-issuing of computers the moment someone leaves. Otherwise – you’ll be hard-pressed to prove any wrong-doing.

One way of minimizing insiders’ opportunity to steal sensitive data is through vulnerability scanning and penetration testing. These can help your organization find weaknesses in access controls, the technical implementation of administrative policies and other vulnerabilities that enable insider attacks.

By Michelle Drolet, founder and CEO, Towerwall
Special to Banker & Tradesman

This article was recently published in Banker & Tradesman