Page 36 - AeM_June_2019
P. 36
BUZZWORDS
A ‘logic bomb’ is a piece of code intentionally inserted A good example of a logic bomb represents the
into a software system that will set off a malicious incident when in October 2005, Mark Russinovich
function when specified conditions are met. discovered that Sony BMG had embedded a logic
bomb in their music CDs which silently and without
For example, a programmer may hide a piece of code consent installed insecure software on their customers'
that starts deleting files, such as a salary database computers. This software monitored and reported the
trigger, should they ever be terminated from the listening habits of the customer. It also altered the
company. operating system's access to their hardware. The
remote access paths opened by the trojan were
Software that is inherently malicious, such as viruses insecure and could be exploited by other malicious
and worms, often contain logic bombs that execute a software. They distributed roughly 22 million of these
certain payload at a pre-defined time or when some CDs.
other condition is met. This technique can be used by
a virus or worm to gain momentum and spread before Another good example happened on 20 March 2013 in
being noticed. Some viruses attack their host systems an attack launched against South Korea, a logic bomb
on specific dates, such as Friday the 13th or April struck machines and wiped the hard drives and master
Fools' Day. Trojans that activate on certain dates are boot records of at least three banks and two media
often called "time bombs". companies simultaneously. Symantec reported that the
malware also contained a component that was capable
To be considered a logic bomb, the payload should be of wiping Linux machines. (Source: Wikipedia) ◊
unwanted and unknown to the user of the software. As
an example, trial programs with code that disables
certain functionality after a set time are not normally
regarded as logic bombs.
Personally Identifiable Information (PII) is a Policies, contractual obligations, and information
category of sensitive information that is associated security laws and regulations require appropriate
with an individual person, hence, it should be protection of PII that is not publicly available. These
accessed only on a strictly need-to-know basis and regulations apply to PII stored or transmitted via any
handled and stored with care. type of media: electronic, paper, microfiche, and even
verbal communication.
PII is information that can be used to uniquely identify,
contact, or locate a single person. Personal PII does not include publicly available information that
information that is “de-identified” (maintained in a way is lawfully made available to the general public from
that does not allow association with a specific person) federal, state, or local government records. (Source:
is not considered sensitive. For instance, social University of Michigan) ◊
security numbers are considered a type of PII, the
legal requirements for protecting them are much more
stringent than for other PII.
36 June 2019 - Cyber-security & Data Protection