Tag Archives: Compliance

An Eerie Silence on Cybersecurity

Apparently it takes an alleged Chinese threat to get the New York Times to notice Internet security problems. The Times has escalated from a recent article to an editorial.

NYTimes Editorial 26 February 2013, An Eerie Silence on Cybersecurity, notes a few exceptions, and then remarks:

American companies have been disturbingly silent about cyberattacks on their computer systems — apparently in fear that this disclosure will unnerve customers and shareholders and invite lawsuits and unwanted scrutiny from the government.

In some cases, such silence might violate the legal obligations of publicly traded companies to share material information about their businesses. Most companies would tell investors if an important factory burned to the ground or thieves made off with hundreds of millions of dollars in cash.

Maybe it’s better to have a prescribed burn of released breach information than to have a factory fire of unprescribed released information.

Why don’t companies do this?

Continue reading

Companies fear reputation for bad security

As more companies come out of the closet about their Internet security being compromised, still more start to admit it. But many (perhaps most) don’t even know. Fortunately, there is a way the public can get a clue even about those companies.

Nicole Perlroth wrote for the NYTimes 20 February 2013 that corporations try to hide successful cracking of their Internet security:

Most treat online attacks as a dirty secret best kept from customers, shareholders and competitors, lest the disclosure sink their stock price and tarnish them as hapless.

However, as some companies come out of the closet about this (Twitter, Facebook, Apple, etc.) and such

revelations become more common, the threat of looking foolish fades and more companies are seizing the opportunity to take the leap in a crowd.

“There is a ‘hide in the noise’ effect right now,” said Alan Paller, director of research at the SANS Institute, a nonprofit security research and education organization. “This is a particularly good time to get out the fact that you got hacked, because if you are one of many, it discounts the starkness of the announcement.”

Now here’s the interesting part:

Continue reading

ISPs, spam, and botnets? a case in Finland

In Finland, some ISPs proactively detect spamming botnets and do something about it.

A small company that does computer maintenance, “HS-Works Oy” located in Helsinki, HS-Works Oy Finland, received a computer from a customer that needed to be fixed since it was acting slow. HS-Works personnel hooked up the malfunctioning computer to the company’s switch to gain Internet access and so they could control it over their LAN.

Sonera After the computer was through the LAN to the Internet for a while, the local ISP (Sonera) realized someone from HS-Works was connecting to a known botnet and acting in possibly malicious way. So what did the ISP do?

The solution was rigid: they closed the Internet connection from HS-works and informed the company via an SMS message that there had been illicit or malicious connections originating from their IP address and the connection would remain closed until the problem was solved. All web traffic was directed to the ISP’s “Access blocked” page, which offers a link to a free 30-day trial of Sonera Internet Security package (F-Secure software branded under Sonera name).

Network access would be returned after the infected host was fixed or removed from the network. The company raised their firewalls to a more strict level and got the Internet access back on the same day.

How about Finland’s ranking in spam listings in general and the rest of the big Finnish ISP policies on spam? Stay tuned, more information about these on the next post!

-Sami Sainio