It has been reported that criminal organisations are targeting Irish companies by enlisting foreign hackers to break into computer systems and hold data to ransom.

The Irish Computer crime investigation unit is currently investigating a number of cases which include hackers breaking into systems and encrypting data, and subsequently requesting money in order to decrypt the data.

Companies in Ireland need to realise the threats posed by not adequately securing their IT infrastructure. One leading security expert was quoted as saying “Irish businesses have a tendency to rely on their IT support company to secure the network , this can have catastrophic consequences as many IT support companies know very little about security”.

Google has released a new two-step verification process to help deter computer hackers from accessing email accounts and other Google services.

This will require users to enter a six digit code after having entered their password when logging on from a different device. The six digit code will be sent to the users mobile phone.

This feature will be rolled out initially to companies and government agencies that use Google services for email and other applications.

It is expected that in the next few months users of Google’s free Email service Gmail will have the option of enabling this feature.

In the wake of the CAO attack last month and as Gardai are still investigating the attack it has been uncovered that the Gardai’s own website http://www.garda.ie is currently vulnerable to an attack.

A Senior Security Consultant at Security firm Secured.IE was quoted as saying “without proper security controls in place, such as rate limiting and account lockouts leaves the administration of the website open to brute force attacks”.

“The irony is, that while the Gardai are investigating the attacks on the CAO, their own website is probably just as, if not more, vulnerable” commented another security expert.

In the event of the website being breached there can be many ramifications, the site could end up being defaced and hosting malware which in turn could end up compromising the security of all the computers that log on to see what’s after  happening which would no doubt include other government computers.

Hackers pose a significant security risk to any website. While no domain, website or network is absolutely immune to attacks, a few simple steps can ensure that you mitigate the risks associated with most types of attacks. The majority of attackers will be deterred by strong security measures and are far less likely to spend the extra time required to hack a secure website.

When operating a high profile website such as the Garda website or in fact any website a number of key procedures must be put in place:

• Ensure that access to the administration console is completely locked down to authorised IP addresses
• Regularly monitor the website access logs to look out for unusual or abnormal behavior
• Keep the web server up to date with all security patches
• Make sure that all processes are locked down and accessible only by those authorised.
• Always use strong passwords which contain uppercase/lowercase/numbers/special characters and should ideally be 10 characters or more
• Make sure file permissions are correctly set
• Use ftps instead of ftp for more secure connections
• Always connect to your web-server from a secure location, ie. not an internet cafe
• Use Key based authentication in addition to passwords
• Never use shared login credentials

Gardai have been handed over logs and other evidence to investigate the recent attacks on the CAO website which has caused chaos for students this week.  The website was attacked just 10 minutes after the release of first round offers on the site at 6am Monday morning. The site was subsequently attacked on Wednesday by manipulating the forgotten password link which reissued new passwords to 22,000 students.

Denial of Service attacks  can be difficult but not impossible to pinpoint. Usually these attacks are perpetrated by criminal gangs looking to extort money from online websites such as bookies. The attack on the CAO however was purely to cause havoc.

Depending on the severity of the attack on Monday some simple security protocols in place may have averted the whole disaster. According to a leading IT Security firm allowing passwords to be sent out by simply inputting a CAO number would be considered ridiculous for such a high profile website and the CAO really needs to look into better coding practices on it’s website.

Thousands of students have faced massive disruption due to these recent attacks.

A company that has not had very much media attention called Palantir has recently received funding of approximately $90M in the States.

It is not known whether Palantir is currently profitable but the company states that revenues have doubled each year for the last 3 years. 70% of the it’s revenue comes from the US Government and the other 30% from private corporations.

From tracking weapon smuggling to identifying the origin of malware this tool appears to give governments and corporations an extremely effective analytical tool that will provide them with a serious upper hand.

According to it’s website:

“We currently offer two products: Palantir Government and Palantir Finance. Both are platforms for integrating, visualizing, and analyzing the world’s information. We support many kinds of data including structured, unstructured, relational, temporal, and geospatial. Our products are built for real analysis with a focus on security, scalability, ease of use, and collaboration.

Palantir Government is broadly deployed in the intelligence, defense, and law enforcement communities, and is spreading rapidly by word-of-mouth. Palantir Finance is in use at some of the world’s leading hedge funds and financial institutions.”

A quick look at some of the tutorial videos on the companies website will give you an idea of what this software is capable of.

http://www.palantir.com

Irish companies that loose the personal data of more than 100 people will be obligated by law to report the breach to the authorities according to the new rules proposed by the Data Commissioner.

The only instance where a company or organisation can avoid having to report the breach is ensuring that data is encrypted and protected by a strong password, or in the case of lost or stolen equipment that a remote memory-wipe feature on a device be activated immediately.

In 2008 the Irish Government ordered a review to determine whether or not reporting obligations protected individuals sufficiently. It recommended that some kind of official guidance was necessary in the event of a breach.

The Irish Data Protection Commissioner has now published a draft Code of Practice outlining exactly when reports to him must be made.

“I have sought to bring forward a draft Code as quickly as possible after the Review Group report to respond to public concern in relation to organisations losing personal data under their control while at the same time not imposing an undue burden on those organisations,” said Irish Data Protection Commissioner Billy Hawkes.

In the event of an organisation loosing data comprising of sensitive medical or financial data then this must still be reported even if fewer that 100 people are involved.

“Data controllers who are required to report to the Office of the Data Protection Commissioner in accordance with this Code must do so within two working days of becoming aware of the incident,” said the guidance.

“Such data controllers are required to provide a detailed report of the incident reflecting careful consideration of … the amount and nature of the personal data that has been compromised; what action is being taken to secure and / or recover the personal data that has been compromised; what actions are being taken to inform those affected by the incident or reasons for the decision not to do so; what actions (if any) are being taken to limit damage or distress to those affected by the incident; and a chronology of the events leading up to the disclosure,” it said.

“The Office of the Data Protection Commissioner will investigate the issues surrounding the data breach,” it said. “Investigations may include on-site examination of systems and procedures and could lead to the use of the Commissioner’s legal powers to compel certain actions. Such actions may include a recommendation or requirement to inform data subjects about a security breach incident where a data controller has not already done so.”

The draft code of practice can be found here.

In the U.K. in April 2010 The Information Commissioner for the first time gained the power to fine organizations for violating the Data Protection Act. Fines up to £500,000 can be levied. In the case of Banks and Insurances companies other agencies have the power to impose even greater fines.

The European Union approved a data breach notification law last year as part of telecoms law reforms however this law only applies to telecoms firms. The Commission and Council rejected EU Parliament proposals to have the law apply to businesses that operate online, such as shops and banks.