Job Board Security

admin, December 7, 2007

Well, it's been a busy few weeks for data security issues - there's the 'lost' inland revenue and child benefit data disks and closer to home there is the continuing fallout from the data theft. Where the loss of disks containing sensitive data is a pretty simple one to understand and protect against - encryption and secure courier services anyone? - what happened at Monster is much more of a concern as parts of the attack strategy could be applied to any web user. What causes concern is not that Monster had particularly terrible security - it's that the group who engineered the attack did so in a targeted, effective and comprehensive manner that exploited many weak links in the interactions between web users, the sites they visit and the emails they open.

This was a complex and technically expert attack and it went something like this:

The Bad Guys™ managed to steal the log-in credentials to access the Monster CV database - the bit of the system that employers and their agents use. This gave them access to millions of peoples CV's, some of which contained sensitive data. They may well have just stolen the database rather than extracting the CV's by searching. This information was then used to send phishing emails to all the stolen email addresses. What happened than depends on which phishing email you received and what you did with it, if you clicked - some were rootkited and no doubt became part of the great spam and malware botnet herd, others were extorted via a standard ransomware scam as explained here.

Well, what can we do you ask? Well one thing is for sure - the people who run online systems that store sensitive data can take steps to secure the data and access to it. As we've seen from the events at HMRC - even governments can get this wrong. For our part we've carried out an extensive security review and are implementing the recommendations - I guess that sounds fluffy but it has to - if I told you then The Bad Guys™ would have a better chance of getting in, and we don't want that. We'll be making official statements on the issue in the coming year.

Now - what can you do as a user? The most obvious thing is to be careful who you hand out information to - as we've seen in the HMRC example even 'trusted' organisations can get it wrong. Barring becoming a hermit and eschewing all forms of technology.......anyway, what to do. Here are the basics, I'll assume you are with the majority and run some variant of Microsoft OS;

  • Update your operating system regularly with the latest patches
  • Get a good security scanner - Virus, Trojan, Firewall etc
  • Use a good spam filter
  • Do not surf the web using an account with Admin rights

Most of these scams are based around tricking the user into clicking on something that lets The Bad Guys™ install stuff on your machine. Emails with links to software downloads are a marketing and distribution dream come true. For those of us at the other end it means that The Bad Guys™ can take advantage of this and send us very realistic looking emails asking us to click this or that to download the latest widget - which we duly do only to discover we've been tricked. Below you'll find some links to sites with more information on how to protect yourself. If you have questions please post them in the comment section.

Email Phishing Scams phishing information
Anti-Phishing Working Group
National Consumers League (USA)
Hoax Slayer

Identity Fraud - General On-Line Security
Think You Know
Home Office
Stay Safe Online
Direct Gov Information

Articles About the breach
Prevex Security (looks like they have some great security software)
The Register
The Times Online (London)
Heise Security