Not all hackers involved in these groups fall under the unethical stereotype that probably comes to mind initially.  Some actually include federal agents, corporate IT professionals, lawyers and people who want to find out what latest attacks their systems are up against.  However, keep in mind that many of these public resources are openly available to unethical hackers as well.

Some  8000 people gather in Las Vegas each summer for DEF CON,  the largest and longest running underground hacking conference.  The conference organizers call themselves “goons” and go by names like “Priest” “Dead Addict” and “The Dark Tangent”.  The wireless network at the conference is nicknamed “the world’s most hostile network’ (as an attempt at flattery, so they say).  Besides discussing  computer security, the event includes all kinds of other hacker-friendly fun like  Capture the Flag  (where teams attempt to attack and defend computers and networks) and Spot the Fed (where everyone  tries to pick out the Federal agents from among the attendees by calling people up on stage and asking them questions).

The “Spot the Fed” contest took an interesting turn at a recent conference when the conference organizers changed it to “Spot the Reporter” to expose a Dateline NBC reporter who was there undercover trying to catch attendees admitting to crimes on a hidden camera .  The event organizers were alerted of her intentions prior to the event and even contacted her several times to ask her to register as press.  So, when she persisted to turn down their requests and showed up at the event as a regular attendee with the hidden camera, they decided to call her out publically in their new game called “Spot the Reporter”.  However, before they got a chance to call her to the stage, she bolted (followed by several hundred angry attendees and registered reporters).

The word on the street is that by the time she had made it to the airport, the hackers back at DEF CON had all of her personal information pulled up on the conference projectors and website- including her social security number, address, and  flight information.  The lesson here is don’t mess with hackers.

As professionals in the accounting industry we all need to commit to keeping our systems as secure as possible.  You might be surprised to know the most effective thing you can do to minimize your risk related to hackers is to keep Windows up-to-date.  Each week there’s potential that Microsoft will release an update that addresses some sort of security flaw.  If your firm hasn’t adopted a set of tools and policies to ensure these updates are regularly completed, please don’t hesitate to give us a ring so we can point you in the right direction.

By the way, if you happen to want a more in-depth retelling of the reporter incident mentioned above, here’s a link to an article with some footage caught on tape.

As of March 1, 2010, Massachusetts-based firms and those who maintain records on its residents (regardless of the state they’re based in) will be required to meet increased information security standards that will force many firms into their next major wave of technology management investments. With the passing of this legislation, you can be certain that other states will follow closely behind.

Here’s the Readers Digest view of what you need to begin preparing for the following:

Duty to Protect
With many of our current security management activities being reactive in nature, we will soon be required to proactively ensure the safety and security of private information.

201 CMR 17.00 stipulates that we have a “Duty to protect” the following:

•    Personal information. (i.e. a  resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a)  Social Security number; (b)  driver’s license number or state-issued identification card number; or (c)  financial account number, or credit or debit card number.)

•    Records. (i.e. written, drawn, spoken, visual, or electronic)

The firm must designate one or more employees to design, implement, and coordinate maintenance of a comprehensive written information security program.  This program consists of identifying and assessing internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information.

This written plan must:
•    be managed by one or more employees
•    provide regularly scheduled employee training
•    actively monitor compliance
•    include properly upgraded and maintained systems (i.e. network, software, storage, etc.)
•    provide for locked facilities with monitored access
•    include telecommuting policies that address access and transport of private data
•    require third-party vendor access procedures and requirements
•    provide an inventory of all paper and electronic records, media, devices, etc.
•    include documented procedures for post-incident responsive actions

Computer System Security Requirements
“Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall have the following elements:”

•    complex passwords that contain greater than 7 characters and ideally include multiple special characters (such as: *!()$#@)
•    access enabled for only active accounts and automatic blocking after multiple failed attempts
•    restricted access to data based on job function requirements with disciplinary measures imposed for policy violations
•    128-bit (or higher) encryption of portable devices containing private data (USB drives, USB memory keys, corporately connected PDAs/smart phones, laptops, etc)
•    backup tapes must be encrypted; otherwise the use of armored guard or similar service is required
•    monitoring and access logging of networks and systems for unauthorized access
•    up-to-date patches and protection definitions on firewall(s), anti-virus, anti-spyware
•    restricted physical access to systems containing private information and written access procedures that log access by all parties

If you don’t currently shut the door to your server room, because “it gets too hot in there”, or the servers are located in a public area such as a hallway or copier/production room, compliance to this legislation will require that you either relocate the servers to a secure location, or retrofit the existing location with adequate security and cooling.  Most  servers have an internal self-protection function that automatically and forcibly shuts them down when they reach a certain temperature, so proper cooling will be an essential concern.

Unless you can accommodate the janitorial schedules, you’ll need to be comfortable with the ‘server room’ not being cleaned — since now your cleaning crew will need escorted access to the ‘server room’ by an authorized employee.

Pose these questions to your technology personnel:
•    Is our firewall updated to the most current patch release?
•    How many of our PCs and/or servers are running the latest security patches?
•    Are our PCs and servers running the most current security definitions for anti-virus and anti-spyware?
•    Is our wireless access encrypted using WPA2 or better?
•    Are our tape backups encrypted and stored offsite in a secure location?
•    Do our auditors store client data on USB sticks (or USB drives)? If so, are they encrypted?
•    Do we have a written security policy?

Should the responses you receive fall short of giving you confidence, it may be time to get a head start on 201 CMR 17.

If your firm is based in Massachusetts, you’ll be thankful to know that the original compliance deadline of January 1, 2010 has been extended until March 1, 2010.  Given that accounting firms have copious amounts of free time in the first quarter, the added grace will come in handy.  Wahoo!

For the complete text of the 201 CMR 17 law, go here.

Did you know that an eight character password that is all lowercase letters would only take about 2.4 days to crack?  That’s how long it would take the average hacker’s computer to process through every possible password combination for those 8 letters.  That’s scary!  But, the good news is that just adding a CAPITAL letter and an *asterisk* would lengthen the time for that same computer to process through all the possible password combinations to 2.1 centuries.  That’s more like it!

Basically, with today’s technology, it’s only a matter of time before a computer runs through all of the password possibilities for a given number of characters- or gets shut down trying.  That’s why making sure your passwords are strong enough is so critical.

Here’s a look at how long it would take the average computer to run through every possible password for a given number of characters (link):

With that said, it’s a good idea to set up an enforced password policy at work, if there isn’t one in place already.  Here’s a sample policy that requires users to change their login password every 90 days based on the following set of complexity requirements:

• Passwords may not contain all or part of the user’s account name
• Passwords must be at least 8 characters in length
• Must contain characters from 3 of the following 4 categories:
  1 – English uppercase characters (A through Z)
  2 – English lowercase characters (a through z)
  3 – Base 10 digits (0 through 9)
  4 – Non-alphabetic characters (for example, !, $, #, %)

Introducing a new password manager application called LastPass. LastPass is completely web-based and has a browser plugin that is very simple to install into Internet Explorer or Mozilla Firefox and makes it easy to log in to all of these sites.  You can also access these by logging in to your account on Lastpass.com if you are out somewhere and don’t want to install the plugin to the browser.

So how much does it cost for this service?  The great news is that it is free!  So, what do you do to use it?  You just need to create an account on www.lastpass.com and download and install the browser plugin on your computer.  Then, as you are logging into any site, you will see a prompt at the top of the browser that asks you if you would like to store this site’s login information.  You can even create groups by specifying a group name when creating the new site login entry.

I have used other products that are purely software based and, while these are also good products, they always require you to add software to the machine.  With Lastpass.com you have the option of not installing anything or simply installing the plugin which gives you access to all of your accounts right from the browser menu.

I highly recommend that you consider using this solution if you regularly have to log in to secure sites like Banks and Financial investment sites.  You can use the built-in function to change your password and let Lastpass.com generate a complex password for you and then store it under that account.  Very complex passwords ensure much greater security and, in this world of highly adept hackers, we need to use complex passwords all the more.

Click here for a video Lastpass.com has created to provide some basic instructions on this product.