The Almanac

An eclectic collection of research and resources.

Spyware Bots: They're Everywhere

Some of them are innocuous, just tracking Web site visits. But "spyware bots"—software modules deposited onto a PC without the user's knowledge—are the truest form of Trojan horses, says Jim Hurley, an analyst at Aberdeen Group Inc.

Some of these bots are treacherous, he says, capable of hijacking the browser, capturing keystrokes, sniffing passwords, collecting confidential data, piggybacking on telecommunications services and allowing outsiders to take control of the PC.

Spyware makes its way into the bowels of the PC when new software packages are installed or upgraded. In addition, e-mail and Web portals contain self-installing spyware agents, Hurley explains.

Few people know that their PC is riddled with spyware bots, which communicate the information they collect to Web sites. Neither antivirus software nor firewalls can stop them.

Sanitizing hard drives is rarely done.
1pixclear.gif
Sanitizing hard drives is rarely done.
1pixclear.gif

"Spyware is now on every PC in every home, corporation and government agency throughout the world," Hurley asserts. His recommendation: Type spyware in a Web search engine and get one of the spyware detection-and-elimination tools listed there to find out what sort of spies are lurking in your PC.

Resold Hard Drives Yield Private Data

MIT researchers have confirmed that many resold and discarded computers—even those with "erased" hard disks—harbor confidential data such as credit card numbers and medical records that can be readily recovered.

Scavenging through the data left on 158 secondhand disk drives, the researchers found more than 5,000 credit card numbers, as well as detailed personal and corporate records. One disk apparently came from an automated teller machine in Illinois and had a year's worth of financial transactions.

Many of the disk drives had been reformatted, or the My Documents folder had been deleted, but that didn't make the data unreadable. In all, only 12 drives were properly sanitized, the researchers reported in the journal IEEE Security and Privacy.

Patent Watch

• A method for detecting security vulnerabilities in a Web application. Most scanners look for vulnerabilities at the network level, but this one probes for security weaknesses at the application level. —U.S. Patent No. 6,584,569, issued June 24. Inventors: Eran Reshef, Yuval El-Hanany, Gil Raanan and Tom Tsarfati, for Sanctum Ltd. in Herzelia, Israel.

• A "digital persona" for providing access to personal information. An information server stores a person's identifying information and privacy preferences. If another computer requests the personal data, the digital persona server compares the request with the privacy preferences and either approves the release of the data or denies the request if the conditions are unacceptable. —U.S. Patent No. 6,581,059, issued June 17. Inventors: Robert Carl Barrett and Paul Philip Maglio, for IBM.

Unisys Suite DetectsCriminal Patterns

Unisys Corp. recently unveiled the Active Risk Monitoring System (ARMS), software that may help banks spot patterns of seemingly unrelated events that add up to potential fraud, identity theft or money laundering.

Actimize Ltd. in New York provides the underlying analytics technology, which monitors transactions in real time, identifies patterns of suspicious behavior and flags transactions according to predefined criteria.

For example, suppose a criminal uses 30 stolen ATM cards in succession to withdraw $500 each time. None of those transactions taken alone would raise a flag, but ARMS can detect a change in the rate of transactions during a certain time period or spot the increased number of cards that have never been used at that ATM before, Unisys says.

—Paul Roberts, IDG News Service

Security spending can't continue to consume ever-increasing portions of the IT budget. No enterprise can afford to spend more on insurance than on new product development. By 2005, security groups that can't demonstrate security effectiveness metrics will experience flat to declining IT security funding."

—John Pescatore, analyst, Gartner Inc.

1pixclear.gif

Managing Wireless Risks

Financial institutions around the world have taken the following steps:

49% have instituted security policies for wireless usage.
41% have scanned their networks to identify rogue wireless networks.
29% have issued guidelines to employees for safer use of Wi-Fi.

Base: Survey of corporate security and IT managers at 80 financial services companies worldwide

Source: 2003 Global Security Survey by Deloitte Touche Tohmatsu, New York, June 2003

1pixclear.gif

Financial Security

The state of IT security at 80 financial institutions around the world:

red_bullet.gif
Security is about 6% to 8% of the IT budget in developed countries.

red_bullet.gif
63% currently have or plan to establish in the next two years the position of chief security officer or chief information security officer.

red_bullet.gif
40% have a chief privacy officer, and another 6% intend to appoint one within the next two years.

red_bullet.gif
39% acknowledged that their systems had been compromised in some way within the past year.

red_bullet.gif
24% have cyber risk insurance, and another 5% intend to acquire such coverage.

SECURITY TECHNOLOGIES USED

Antivirus 96%
red_bullet.gif
Virtual private networks 86%
red_bullet.gif
Intrusion-detection systems 85%
red_bullet.gif
Content filtering/monitoring 77%
red_bullet.gif
Public-key infrastructure 45%
red_bullet.gif
Smart cards 43%
red_bullet.gif
Biometrics 19%
red_bullet.gif

Base: Survey of corporate security and IT managers at 80 financial services companies worldwide

Source: 2003 Global Security Survey by Deloitte Touche Tohmatsu, New York, June 2003

Special Report

Tips From Security Experts

Stories in this report:

Related:

Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon