paulmudgett.com

A company has a PC infected with malware that steals the User ID and password for their bank account.  The bad guys proceed to steal a large sum of money from the company bank account.  The bank won’t refund the money and the FDIC doesn’t insure commercial accounts.   This sums up a recent case described at Krebs on Security where an Escrow company had $440,000 stolen from it’s bank account and is now suing the bank claiming inadequate controls for the movement of funds.

The bank probably shouldn’t be offering a single password to govern the approval and release of a wire transfer but are they responsible for protecting an endpoint they had no control over?  That’s quite a leap.   As a business owner you have to take responsibility for protecting your assets.

Krebs suggests two alternatives for small businesses.  I agree with both which I’ll summarize here.

1.  Separate your banking PC from your general purpose PC.   In other words, don’t access your online bank accounts from the same PC you use to check E-mail, open attachments, browse the Internet, perform work for your clients, etc.

2.  Use a Live CD that boots your computer into a version of Linux that is used only to access your online bank accounts.

A third option is to use a virtual guest machine that is purposed specifically for online banking and appropriately configured/updated.  (Not a bad idea for personal banking too)

Hopefully, this incident doesn’t lead to a knee-jerk legislative mandate that requires banks to implement vague “effective security measures”, especially those that would require them to effectively manage the endpoint systems of other businesses.  Banks could, however, provide option 2 above to their commercial customers to access online banking using a secure, bank branded Linux distribution.

Bottom line – personal responsibility.  Don’t rely on other parties to protect your information.

A 38-year-old Avon Lake, Ohio man is set to plead guilty to federal charges after spyware he allegedly meant to install on the computer of a woman he’d had a relationship with ended up infecting computers at Akron Children’s Hospital.   (Misdirected spyware infects Ohio hospital.  McMillan, Robert. 17 September 2009. ComputerWorld.)

Graham certainly gets what is coming to him.  Sending spyware to your ex is more than a little creepy.  However, it seems to me the hospital is culpable in the release of protected health information (PHI) due to poor security practices.   The hospital has an obligation to protect this information yet they allow an employee to not only access personal e-mail but also download and install an application.  In this case it turns out to be spyware.

Unfortunately, this is a common occurance.  Employees use business assets as their personal playground, downloading and installing all types of applications that have no business being on the PC.  I’m not talking about pictures of Grandma Edith and the new puppy, rather peer-to-peer file sharing and communication applications, games, and other programs of amusement.  This places companies at risk for the accidental release of personal information or compromise of systems.

With more regulatory pressure being placed on organizations to protect personally identifiable information, companies are going to need to make a decision if they are running a business or a playpen.  It may be safer (and less expensive) to put in a foosball table and pinball machine than suffer the consequences of a breach.

When you buy a new laptop or desktop computer it often comes loaded with a bunch of unwanted “bloatware”… software that you never wanted and would prefer it didn’t exist.  Uninstalling the software can be tedious and time consuming leaving many consumers to just ignore the issue.  This becomes a problem as these applications often have discovered vulnerabilities that need to be patched and aren’t leaving consumer systems ripe for compromise.

In a business context the problem is a little easier to solve as the systems can be simply wiped and loaded with the company default configuration before it is put into service.  Some companies don’t do this and while they may have decent anti-malware and operating system patching in place, these unwanted applications leave them exposed.  If you’re a business and don’t have a desktop/laptop image for your business computers, I suggest you create one or have one created.  It will not only eliminate the bloatware problem but a standard system will save a lot of headaches for your IT support personnel.

It would be best if vendors would simply leave off this added bunch of unwanted software but there is too much pressure to pester the consumer with this garbage.