Jaime Chanaga, CISSP, CISA

Computer "botnets" estimated of generating over $20 million in economic loses for businesses and consumers are disrupted by the U.S. Federal Bureau of Investigation (FBI), U.S. Secret Service, U.S. Immigrations Customs Enforcement and New Zealand Police.  (FBI Press Release: http://www.fbi.gov/pressrel/pressrel07/botroast112907.htm)

"Operation Bot Roast II" is an excellent example of interagency cooperation by U.S. Federal and international law enforcement agencies in the fight against cyber crime.

While the law enforcement community has done their part, it is time for us as consumers to do our part prevent cyber crime.  If you have not already done so, please install anti-virus, anti-spyware, firewall, and wireless encryption defenses to protect your personal computer and networks.   In doing so, each of us can do our part to prevent cyber crime by following basic computer security precautions.

For more information:

• OnGuardOnline.gov
  http://onguardonline.gov/botnet.html
• See my June 13, 2007 blog post
  1 Million Computers Affected by Botnet; FBI Announces

This holiday season, some of us may do some of our shopping online.  Before doing our shopping online, we should follow basic security steps to guard our personal and financial information from fraud and identity theft.

Here are some tips for safe holiday shopping online:

1. Make sure your security software is up-to-date.  Update your anti-virus, anti-spyware, and firewall software to minimize the risk of falling victim to malicious threats like trojans or computer viruses that could attempt to steal your personal information or provide hackers access to your computer.
2. Don't conduct any online shopping on public computers such as those found at cybercafes, public libraries, etc.    The public computer you use, could have spyware or other malicious software installed that in turn could compromise your personal and financial information.
3. When in doubt about a retailer, check them out.  Do an online search on a retailer and read comments from other customers.  Contact the Better Business Bureau and find any additional information they may have on the company.
4. Monitor your credit.  Make it a habit to monitor your credit regularly with the major credit bureaus.

Here are some additional resources for safe online shopping this holiday season.

• The National Cyber Security Alliance
  http://www.staysafeonline.info/basics/shoppingTips.html
• Yahoo! Shopping
  http://docs.yahoo.com/docs/info/consumertips.html

Fifth Third Bancorp (NASDAQ: FITB) has been fined $880,000 by Visa Inc. for FITB's role in the data breach at TJX Companies Inc. (NYSE: TJX).  (Click here for article by Boston Globe)  In recent years, banks, merchants, and credit card issuers have been at odds over who should be responsible for protecting credit card data.   

Thanks in part to the collaboration by credit card issuers like Visa and MasterCard, today the PCI (Payment Card Industry) Security Standards Council, an independent organization, is leading efforts and developing industry standards for data security that banks, merchants, and credit card issuers can all agree to adopt as baseline for the protection of consumers' credit card data.  Despite all of these efforts data breaches have occurred because of the reluctance by organizations to implement appropriate data security measures.

It is my hope that the motivation for banks and merchants to act to protect consumers' personal and financial information is not only driven by self-regulatory industry actions.

The Associated Press (AP) is reporting the Personnel Department of the State of Nevada has lost track of at least 470 compact discs (CDs) containing the social security numbers and payroll information for state employees during the past three years.  The Personnel Department has sent more than 13,000 CDs to 80 agencies for processing every-two week pay period during the past three years.

The State of Nevada is enacting changes to ensure this type of data loss does not happen again including:

• Discs will be signed for and returned to the Personnel Department after every pay period
• Passwords will be required to read data stored on CDs
• State employee information will be correlated to unique employee ID numbers instead of social security numbers

In my opinion, these public relation driven policy changes are window dressing rather than substantive data security, access, and audit controls to prevent the misuse of sensitive personal and financial information for state employees.

It is time government agencies do a better job of protecting our personal and financial information.

Australian IT is reporting (to see article click here) that on-line CRM services company Salesforce.com (NYSE: CRM) suffered an IT security breach.   Salesforce has admitted the cause of the incident as being attributed to an employee being duped by a "phishing scam".

The company has admitted customer account information including passwords may have been compromised by non-authorized parties.  According to the article by Australian IT there are more than 1,000 subscribers to Salesforce.com may have been affected in Australia alone.