isaca warns workers will take more risks when e-shopping in the run-up to christmas
TRANSCRIPT
NEWS
8 NOVEMBER/DECEMBER 2010
ISACA warns workers will take more risks when e-shopping in the run-up to Christmas ISACA, the not-for-profit IT security association, is warning
that office workers are likely to take more risks than usual
whilst conducting online shopping in the weeks running up to
Christmas.
The association, which has more than 80 000 members
worldwide, says its research suggests that employees will spend
six hours shopping online in the next six weeks.
The research – which centres on ISACA’s annual ‘Shopping on
the Job: ISACA’s Online Holiday Shopping and Workplace Internet
Safety Survey’ and draws on a poll of more than 360 workers in
the UK and more than 630 employees in the US – claims that
33% of UK workers are planning to spend nine hours or more
doing their online shopping.
UK staff are saying they may undertake risky actions online,
such as clicking on an email link or providing their work email
address when shopping online, and 49% report they are
accessing social network sites from their work-supplied computer
or mobile device.
Commenting on the results, John Pironti, a security advisor
with ISACA and president of IP Architects, says that employees
who shop online not only reduce productivity, especially in
the period late November to mid December, when 65% in the
UK make their purchases, but it also opens the door to social
engineering and phishing attacks, malware, and information
breaches that can cost companies large sums of
money.
These attacks, he adds, can cost “thousands per employee” to
correct and millions in compromised corporate data, and severe
damage to their reputation.
Shopping online using
company devices also
increases the security risk,
says ISACA, because these
devices are often used on
wireless networks outside of a
protected corporate network.
They are also, adds the
association, more easily lost or
stolen, and contain corporate data that is typically not encrypted.
A separate global survey of 834 business and IT
professionals who are members of ISACA has discovered that
a third of European correspondents believe their organisation
loses £3000 or more per employee as a result of an employee
shopping online during work hours in November and
December.
To assist managers in tackling the security problem of
holiday shopping using company devices, ISACA has published
a free white paper – E-Commerce and Consumer Retailing: Risks
and Benefits – which can be downloaded from their website.
Recommendations for IT departments include the option of
teaming up with the HR department to adopt an ‘embrace and
educate’ approach, and promoting an awareness of the firm’s
security policy.
IT departments, says ISACA, should also encrypt data on
devices and use secure browsing technology. They should also
take advantage of industry-leading practices and governance
frameworks such as the Business Model for Information Security
(BMIS).
Malware hijack adds unauthorised files to Mozilla FirefoxMozilla Firefox has once again been the subject of a malware attack,
this time with a code hijack adding an unauthorised series of
dropped files to the browser’s profile.
Webroot threat manager, Andrew Brandt, posted an item about a
dropper known as Trojan-Dropper-Headshot in September 2010.
This malware, he said, delivers everything including the kitchen
sink when it infects your system, and has a large number of
payloads, any of which on their own constitute a serious problem.
“All together, they’re a nightmare”, he says, adding that,
amongst the payloads, his research team has seen the malware
drop downloaders (Trojan-Agent-TDSS and Trojan-Downloader-
Ncahp, aka Bubnix), adware (Virtumonde, Street-Ads, and
Sky-banners), keyloggers (Zbot and LDpinch), clickfraud Trojans
(Trojan-Clicker-Vesloruki and at least three other generic clickers),
and a rogue AV called Antivir Solution Pro.
“So this is one nasty beast that has no qualms about using
the shotgun approach to malware infections”, he explained in his
security blog.
Brandt went on to say that his research team has also noticed
that the malware has added yet another intriguing installer
to its panoply of pests: a small executable named seupd.exe
(search engine updater?) that makes two minor (but obnoxious)
modifications to Firefox.
“The result of these modifications changes the behaviour of
Firefox’s search bar, the small box that lets you send queries
directly to search engines, located to the right of the Address
Bar”, he said.
Brandt added that the new modifications are not immediately
apparent unless you try to search Google for something, using either
the Search Box or the Address Bar.
Instead of sending your search to Google, the browser
submits search queries to one of six different domains not
owned by Google, but which appear to use the Google API to
provide results. “And, presumably, earn a little ad revenue on
the side”, he said.