How Your Data Can Get Loose

How Your Data Can Get Loose

Ed Sperling, 11.21.08, 04:00 PM EST

The ways in which your data can wind up in other people's hands is multiplying.

Locking up personal data is like putting a lock on your front door: It may deter some people, but professionals will break a window. If they really want to get in, they'll resort to more violent entries such as tunneling through the floor, smashing the walls or chopping a hole in the ceiling.

Nothing's different in cyberspace--except that the chances of getting caught are lower than in the physical world. In some countries, cyber-attacks aren't even illegal. And to make matters worse, it can be done remotely and hit many more victims with a single blow.

In Pictures: Protect Yourself From ID Theft

Article Controls

Ian odd bit of protection for the criminals: If a cyberhacker is based in country that doesn't make data snatching illegal, then he can't be prosecuted even if he preys on people elsewhere, notes John Stewart, chief security officer at Cisco Systems (nasdaq: CSCO - news - people ). "Even if [an attack] violates the victim's law, it may not be illegal where it was done," he says.

That means protecting yourself--your identity, your company's data, even your health--becomes an imperative.

As more devices rely on software, malicious code has crept into surprising places. Buyers of Insignia electronic picture frames, for instance, got more than they bargained for last Christmas. The frames came pre-infected with a virus. Best Buy (nyse: BBY - news - people ) recalled the frames, but the damage was done. The good news is, it could have been worse.

"The number of attack vectors and techniques continue to multiply," says Josh Corman, principal security strategist at IBM (nyse: IBM - news - people ). "No matter how good your perimeter defenses are, as soon as someone uploads pictures of their kids and their grandkids you could have a hardware-based Trojan in a USB."

Significantly more dangerous is the possibility of infecting medical devices. (MIT was researching a piece of malicious code embedded into pacemakers.) "Imagine what would happen if you suddenly shut down all the pacemakers at the G8 Summit," Corman says. "There is a whole market for certified, pre-owned technology that comes pre-infected. It's a very attractive, bottoms-up infection method."

Comment On This Story

Conspiracy-minded technology developers have long sounded the alarm about technology backdoors--ways into data stored on devices that buyers never knew existed. Apple (nasdaq: AAPL - news - people ) confirmed last summer that there is a backdoor for the iPhone that allows Apple to remove illegally downloaded programs whenever it chooses. That measure helps Apple protect intellectual property. But given the complex global supply chain of parts that go into most products, unknown backdoors created by companies with unknown backgrounds and connections may pockmark final systems.

And then there is the human element. Many crimes are inside jobs. And a networked corporate enterprise means every computer on the network--sometimes measured in the hundreds of thousands, with even more global access points--is potentially a way into private customer data or corporate intellectual property.

Banks, retailers and even local supermarkets have access to at least some personal information for customers, and some have far more access than they should have. And it doesn't take a top executive to, say, add an in-line keystroke monitor--a device no larger than the tip of your finger--on a device cord or a keyboard to record all the strokes. Alternatively, they can replace a mouse with one that has built-in memory. Security experts say this already is happening.

Dugg on Forbes.com

Cooking Up A Blockbuster Game

Healing Health Care

U.S. regulators grant conditional OK for Ford bank

Long Island Mortgage Lenders Smell Profit In HUD Initiative

Visit The Forbes.com Digg Channel

Employees can also become unwitting assistants for cyberhackers. IBM's Corman says one extremely successful trick among cyberthieves is to drop USB drives in a parking lot where workers gather to smoke. "They invariably grab it. 'Oh, a free USB. I wonder what's on it?' The penetration of these kinds of attacks is very high."

Some companies such as large banks have disabled USB drives as a security precaution. But employees may also take such "found" drives home, and they often log on to the corporate network from their home computers.

Simply sloppiness of employees can also endanger your private data. Overworked or careless employees can misplace a CD containing private information by leaving it in the pocket of an airplane seat or somewhere else outside of the corporation. The Bank of New York Mellon (nyse: BK - news - people ), for instance, recently notified customers that it had lost tapes containing customers' personal information en route to a storage facility. Many other such errors, however, are never reported.

Bottom line: Even those companies that do have a security policy may discover that their rules about who has access to data are not effective, particularly at a time when companies are laying off employees.

"The highest risk factor is the carbon-based units--humans," says Michelle Dennedy, chief data and privacy officers at Sun Microsystems (nasdaq: JAVA - news - people ). "It's getting them to think about all the risks. The technology usually does what you tell it to do. Where the risk comes in from the technology is failure to finish the last mile."