The new Federal Rules of Civil Procedure (FRCP) have set high standards for the discovery of email and Electronically Stored Information (ESI). In as little as 30 days after litigation is filed, an organization may need to provide detailed lists of what ESI exists and be able to produce that ESI quickly. The Federal Rules of Civil Procedure also require organizations to protect ESI as evidence from willful and/ or accidental destruction.

• An organization must know at the beginning of a case what relevant ESI exists, where it is, and how hard it is to access.
• An organization must quickly produce all relevant electronic information from active systems.
• The opposing litigants want to track changes to documents and view metadata, and the organization has to help them.
• An organization can destroy ESI as part of a routine, pre-arranged process until there is reason to believe that organization

 

more info

Google is starting to act the way Micorsoft did in the 1990's by taking ideas from smaller comaanies.  Google was named in a trade secrets lawsuit alleging that the company's business software unit copied a tiny start-up's tool for moving customers off of Microsoft software onto Google's.

LimitNone filed a complaint in an Illinois circuit court alleging that Google at first began promoting the smaller firm's tool for migrating Microsoft Outlook customers to Gmail, then copied the idea and went into competition with it.

The lawsuit was brought by the commercial litigation firm of Kelley Drye & Warren LLP - by the same team who previously faced off with Google in a trademark case involving the Silicon Valley company's highly successful online advertising system.

    

The latest suit takes aim at the company's fast-growing Google Apps software application business, which includes Gmail for business users. Google is seeking to woo customers away from relying on rival Microsoft software.

The complaint accuses the Web leader of engaging in deceptive business practices that chill competition. It seeks reimbursement from Google of actual damages, attorneys' fees and calls on the court to award punitive damages to LimitNone.

more info

Data breaches are a fact of life with the advance of Wi-Fi, 3G, and remote computing as it is done in today's flexible business environment.  In the modern organization, data is everywhere and keeping track of it is an extremely complex challenge. The fundamental principle, however, is quite simple - if you don’t know where data is, you certainly can’t protect it.

Data breaches and network intrusions occur because the personal information compromised includes data elements useful to identity thieves, such as Social Security numbers, account numbers, and driver's license numbers. Some breaches do not expose such sensitive information; however, they still expose individuals to identity theft and business to a compromise of their electronic assets and that must be disclosed under Sarbanes-Oxley and various state laws.

According to Verizon, nearly nine in 10 corporate data breaches could have been prevented had reasonable security measures been in place.

The Verizon "2008 Data Breach Investigations Report" spans four years and more than 500 forensic investigations involving 230 million records, and analyzes hundreds of corporate breaches including three of the five largest ones ever reported.

They found that 73 percent of breaches resulted from external sources versus 18 percent from insider threats, and most breaches resulted from a combination of events rather than a single hack or intrusion.

Key Findings Are:

• Most data breaches investigated were caused by external sources. Thirty-nine percent of breaches were attributed to business partners, a number that rose five-fold during the course of the period studied.
• Most breaches resulted from a combination of events rather than a single action. Sixty-two percent of breaches were attributed to significant internal errors that either directly or indirectly contributed to a breach. For breaches that were deliberate, 59 percent were the result of hacking and intrusions.
• Of those breaches caused by hacking, 39 percent were aimed at the application or software layer. Attacks to the application, software and services layer were much more commonplace than operating system platform exploits, which made up 23 percent.
• Fewer than 25 percent of attacks took advantage of a known or unknown vulnerability. Significantly, 90 percent of known vulnerabilities exploited had patches available for at least six months prior to the breach.
• Nine of 10 breaches involved some type of "unknown" including unknown systems, data, network connections and/or account user privileges. Additionally, 75 percent of breaches are discovered by a third party rather than the victimized organization and go undetected for a lengthy period.
• In the modern organization, data is everywhere and keeping track of it is an extremely complex challenge. The fundamental principle, however, is quite simple – if you don't know where data is, you certainly can't protect it.
  

more info

(IDG News Service)  A low-level employee at The TJX Companies Inc. has lost his job for speaking in public about information-security problems he uncovered while working for the company.

The employee, a University of Kansas student who worked at TJ Maxx's Pine Ridge Plaza store in Lawrence, Kansas. In an e-mail interview, he said he was fired on Wednesday for violating corporate policy by disclosing proprietary information.

TJX is sensitive about information security after being the victim of a massive data theft, apparently made possible by poor security on the company's wireless networks. That breach, which compromised 94 million credit and debit card accounts, has cost the company tens of millions of dollars in legal settlements.

Benson, also known by his hacker name, Cryptic Mauler, is a frequent poster to computer security discussion groups such as Full Disclosure and the Sla.ckers.org Web forum, where he criticized the company's password policy, its server security settings and the competence of the technicians who install firewalls at the company's stores.

"I never use anything but cash at their stores, but it's hard to sleep at night knowing the same network stores my employee information," he wrote on Aug. 22, 2007. "For all I know, that information has already been picked cleaned by the hackers, and [the] company could have swept it under the rug."

more info

Data breaches are a fact of life with the advance of Wi-Fi, 3G, and remote computing as it is done in todays flexible business environment.

Data breaches and network intrusions occur because the personal information compromised includes data elements useful to identity thieves, such as Social Security numbers, account numbers, and driver's license numbers. Some breaches do not expose such sensitive information; however, they still expose individuals to identity theft and business to a compromise of their electronic assets and that must be disclosed under Sarbanes-Oxley and various state laws.

Janco has defined a set of tools which enterprises of all sizes can use to be prepared to protect against breaches and intrusion, know when it occurs, and provides the ability to respond quickly when it does happen.

The Data Breach and Network Intrusion Detection Bundle contains:

• Security Manual Template
• Security Audit Program
• Network Event Viewer
• Smart Disk Monitor
• Text Log Monitor
• Internet Service Monitor

 

more info

(Computerworld) A flood of voracious ants is heading straight for Houston, taking out computers, radios and even vehicles in their path.

Even the Johnson Space Center has called in extermination experts to keep the pests out of their sensitive and critical systems.

The ants have been causing all kinds of trouble in five Texas counties in the Gulf Coast area. Because of their sheer numbers, the ants are short-circuiting computers in homes and offices, and knocking systems offline in major businesses. When IT personnel pry the affected computers open, they find the machines loaded with thousands of ant bodies.

These ants are raising havoc, said a professor of entomology at Texas A&M University in College Station. They are foraging for food, and they go into any space looking for it. In the process, they make their way into sensitive equipment.

The ants have been dubbed Crazy Rasberry ants after the owner of Budget Pest Control in Pearland, Texas. He first tackled this particular type of ant back in 2002. Since then, the problem has only escalated.

The ants have caused a lot of trouble for one Texas chemical company in particular. The ants shorted out three computers that were running a pipeline that brought chemicals into the plant. The ants took down two computers last year and one in 2006, affecting flow in the pipeline each time.

more info

(PC Magazine) Jocelyn S. Kirsch and Edward K. Anderton made a splash when their story hit the papers. The young Philadelphia couple lived high on the hog by stealing identities from their neighbors, friends and co-workers and ripping them off. This was in addition to their work in burglary and other more old-fashioned crimes, all of which bought them trips to Europe, the Caribbean and elsewhere.

When they were first busted the police dubbed them Bonnie and Clyde. The state charges were dropped and now the US Attorney wants them to serve 5 year sentences for their crimes. A plea bargain appears to be in the works.

While they used professional Internet tools to facilitate some of these thefts, the bulk of their identity theft was low-tech: Purse snatching, burglarizing apartments and mailboxes with stolen keys, breaking into gym lockers, soliciting information over the telephone by false pretenses, picking up documents while visiting. With what they obtained they ran down others credit cards, established new ones in the victims names and ran those down, created accounts with banks and spent from those. They transferred a lot of money around to cover tracks.

The moral, other than that some people have no morals, is that online identity theft isn't the only way you can get ripped off. It may not even be the most likely way. Keep an eye on other vehicles, like what's in your mailbox or purse.

more info

(IDG News Service) A New York man faces up to four years in prison after pleading guilty last week to posting fake job ads for technology companies such as Microsoft, Yahoo and PayPal.

The poorly written ads sounded too good to be true. Microsoft Corporation is now seeking for [sic] bright jobseekers who think big and dream big to fill out many open positions. Applicants could work flexible hours from home and earn between $15 and $27.50 per hour working on administrative, customer service and sales jobs.

Victims who responded were asked to send personal information such as their date of birth and Social Security number. The scammer would then use the information for ID theft or sell it to other criminals, said a senior attorney with Microsofts Internet Safety Enforcement division. The man even asked for detailed banking information, an unheard-of request in legitimate job applications.

more info

(IDG News Service) Two weeks after discovering that its Web site had been used by hackers to flog fancy wedding rings, Southern Connecticut State University is notifying 11,000 current and former students that their Social Security numbers may have been compromised.

The personal data was in a file on the university Web server, which was accessed by criminals who were using the university site as part of a spam operation. The hackers were using the University Web server as a host for their own Web site.

Pages on the university site contained ads for diamond rings, Viagra and Cialis. After noticing the ads, IT staff discovered the file containing the sensitive information. When they were doing the security review after the hacker incident, they saw this file there and it was not properly secured, so it could have been targeted by someone.

The university believes that the hackers came from outside the U.S., and it is working with the Connecticut attorney general's office to investigate.

The file on the Web server contained names, addresses and Social Security numbers of students who had registered to graduate from the school, dating back to 2002.

more info

The must do things that your company must do to make sure the disaster recovery and business continuity plan will work when they are need are:

• Distribute the disaster recovery and business continuity plan or a HandiGuide^® to all decision makers and key operating employees who will need access to it when the event occurs.

• Define the chain of command with single leader but do not limit the people who would have to implement the disaster recovery business continuity plan when the event occurs if that leader is unavailable.
• Conduct frequent tests and address all areas where shortcomings are found.
• Conduct the tests in an unannounced mode
• Validated that mission critical data is at sites other than the primary data center
• Establish a communication plan that can be implemented after the disaster.

 

HandiGuide is a Janco Associates registered trademark 

more info