WEEKLY PRIVACY-SECURITY NEWS BRIEF

5,888 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
5,888
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

WEEKLY PRIVACY-SECURITY NEWS BRIEF

  1. 1. Privacy & Security News Brief January 12 – January 18, 2008 Vol. 1, No. 15 TABLE OF CONTENTS ........................................................................................................................................................................................1 ........................................................................................................................................................................................1 BIOMETRICS...............................................................................................................................................................4 Australia in talks with FBI over global "dangerbase"_______________________________________________4 DATA BREACH............................................................................................................................................................4 One year later: Five takeaways from the TJX breach_______________________________________________4 Credit card data breach could affect 650,000_____________________________________________________4 Carphone Warehouse in 'serious' data breach _____________________________________________________4 Hospital staff ID is ‘lost’ in data blunder_________________________________________________________5 UW staff's personal data was on public Web site at least a year_______________________________________5 Dahlgren warns workers about ID theft__________________________________________________________5 Election Commission laptop harddrive found_____________________________________________________5 Tennessee Tech loses Social Security numbers of 990 students_______________________________________5 Suffolk social services agency warns clients of possible security breach________________________________6 UGA Contacting 4,000 After Computer Breached by Hacker________________________________________6 E-COMMERCE.............................................................................................................................................................6 Study: Online Privacy Concerns Increase________________________________________________________6 EDITORIALS & OPINION..........................................................................................................................................6 Surrendering ever more of our privacy__________________________________________________________6 I vote for mandatory encryption_______________________________________________________________7 Personal Data Should be Handled Like Spent Nuclear Fuel__________________________________________7 Security and Convenience at the Borders ________________________________________________________7 IT and the Changing Privacy Landscape: Eight Areas to Watch in '08__________________________________7 EDUCATION.................................................................................................................................................................8 Company gets kindergartners' Social Security numbers, data_________________________________________8 EMPLOYEE...................................................................................................................................................................8 Bosses' Hi-tech Spying Tactics Do Not Compute__________________________________________________8 FINANCIAL..................................................................................................................................................................8 SEC takes strict view on client data_____________________________________________________________8 GOVERNMENT – U.S. FEDERAL.............................................................................................................................8 US intel chief wants carte blanche to peep all 'Net traffic____________________________________________8 Big Brother Really Is Watching________________________________________________________________9 DHS Extends Real ID Deadline, but Funding and Privacy Questions Remain ___________________________9 Fliers' Data Left Exposed, Report Says__________________________________________________________9 Government Urged to Standardize Data Encryption Standards_______________________________________9 GOVERNMENT – U.S. STATES...............................................................................................................................10
  2. 2. States face Real ID privacy dilemma___________________________________________________________10 CALIFORNIA____________________________________________________________________________10 Securing So Cal___________________________________________________________________________10 MASSACHUSETTS_______________________________________________________________________10 Businesses say data security rules would be too expensive__________________________________________10 NEBRASKA_____________________________________________________________________________10 Nebraska Publishes Identity Theft Repair Kit____________________________________________________10 OHIO___________________________________________________________________________________11 Q&A: Ohio Secretary of State Looks Anew at E-Voting___________________________________________11 Final ‘Real ID’ Rules Issued; Ohio First to Receive Extension ______________________________________11 WISCONSIN_____________________________________________________________________________11 Editorial: Full audit needed on latest privacy breach in state ________________________________________11 HEALTH & MEDICAL..............................................................................................................................................11 Privacy at risk in Vt. prescription drug database__________________________________________________11 Experts say e-prescribing will be first and hottest Health IT issue in 2008_____________________________12 IDENTITY THEFT.....................................................................................................................................................12 Major Retailer's" Data Breach Results In Wave Of Credit Card Fraud?________________________________12 INTERNATIONAL......................................................................................................................................................12 AFRICA...................................................................................................................................................................12 ASIA/PACIFIC.......................................................................................................................................................12 AUSTRALIA_____________________________________________________________________________12 Medicare to set up healthcare identifier service __________________________________________________12 MALAYSIA_____________________________________________________________________________12 After 10 years in limbo, your privacy remains at stake_____________________________________________12 EUROPE..................................................................................................................................................................13 GERMANY______________________________________________________________________________13 Privacy Debate Runs Hot in Germany__________________________________________________________13 TURKEY________________________________________________________________________________13 Cameras in Istanbul, sacrificing privacy for security ______________________________________________13 UNITED KINGDOM______________________________________________________________________13 Prisoners 'to be chipped like dogs' ____________________________________________________________13 MIDDLE EAST.......................................................................................................................................................13 NORTH AMERICA...............................................................................................................................................13 CANADA_______________________________________________________________________________13 Ottawa urged to draft data breach notification law________________________________________________13 SOUTH AMERICA................................................................................................................................................14 LEGISLATION – FEDERAL.....................................................................................................................................14 The Time Is Now (Better Yet, Yesterday) For A Federal Data Breach Disclosure Law___________________14 LEGISLATION – STATE...........................................................................................................................................14 MISSOURI______________________________________________________________________________14 New Missouri bill thumbs its nose at federal Real ID Act__________________________________________14 NEW HAMPSHIRE_______________________________________________________________________14 Product-tracking bill held for more study_______________________________________________________14 SOUTH DAKOTA________________________________________________________________________14 Privacy measure to be debated________________________________________________________________14 VIRGINIA_______________________________________________________________________________15 College donor privacy at issue________________________________________________________________15 LITIGATION & ENFORCEMENT ACTIONS.........................................................................................................15 Life is Good settles security charges with FTC___________________________________________________15 2
  3. 3. MOBILE/WI-FI...........................................................................................................................................................15 ODDS & ENDS............................................................................................................................................................15 Super Bowl Security Plans Take Shape_________________________________________________________15 Food Commercials Reach the Supermarket _____________________________________________________15 Visual additions to map sites raise privacy, safety questions________________________________________16 ONLINE ......................................................................................................................................................................16 Social, work lives collide on networking websites________________________________________________16 More people worried about Net privacy, study finds______________________________________________16 MySpace Agrees to New Safety Measures ______________________________________________________16 RFID.............................................................................................................................................................................17 Hospitals tagging babies with electronic chips___________________________________________________17 Europe’s RFID Privacy Policy Might be a Mistake_______________________________________________17 SECURITY...................................................................................................................................................................17 Weak Control System Security Threatens U.S.___________________________________________________17 Top Ten Cyber Security Menaces for 2008 Listed________________________________________________17 IM, Chat and P2P Network Attacks Up in 2007__________________________________________________18 New Predictive Approach Seeks to Stay Ahead of Hackers_________________________________________18 Secure E-mail Standard Released_____________________________________________________________18 DDOS Botnets Thriving, Threatening__________________________________________________________18 Competition May Be Driving Surge in Botnets, Spam_____________________________________________19 Security Dominates 2008 IT Agenda___________________________________________________________19 The Future of Information Security: 2008 and Beyond_____________________________________________19 Malware 2.0 Meets Security 2.0______________________________________________________________19 SEMINARS..................................................................................................................................................................20 PAPERS.......................................................................................................................................................................20 2008 Digital Future Report__________________________________________________________________20 Enterprise@Risk: 2007 Privacy & Data Protection Survey_________________________________________20 3
  4. 4. ARTICLE SUMMARIES AND LINKS BIOMETRICS Australia in talks with FBI over global "dangerbase" UK and Australian police are in talks with the FBI over an international biometric database which will be used to store and transfer criminals' details, in a move which has alarmed local privacy advocates. If it gets the go-ahead, the so-called "server in the sky" database will share biometric data, such as fingerprints and iris scans, of criminals internationally. The FBI suggested the database at a recent meeting of the five countries -- Australia, Canada, New Zealand, the UK and the US -- in the International Information Consortium technology group. http://www.zdnet.com.au/news/security/soa/Australia-in-talks-with-FBI-over-global- dangerbase-/0,130061744,339285189,00.htm (ZDNet – 1/16/08) DATA BREACH One year later: Five takeaways from the TJX breach One year ago, The TJX Companies Inc. disclosed what has turned out to be the largest information security breach involving credit and debit card data -- thus far, at least. The data compromise at the Framingham, Mass.-based retailer began in mid-2005, with system intrusions at two Marshalls stores in Miami via poorly protected wireless LANs. The intruders who broke into TJX's payment systems remained undetected for 18 months, during which time they downloaded a total of 80GB of cardholder data. TJX eventually said that 45.6 million card numbers belonging to customers in multiple countries were stolen from its systems. Even that number may be far too low: A group of banks that is suing the retailer claimed in an October court filing that information about 94 million cards was exposed during the serial intrusions. http://www.computerworld.com/action/article.do? command=viewArticleBasic&taxonomyName=security&articleId=9057758 (ComputerWorld – 1/17/08) Credit card data breach could affect 650,000 Personal information on about 650,000 customers of J.C. Penney and up to 100 other retailers could be compromised after a computer tape went missing. GE Money, which handles credit card operations for Penney and many other retailers, said Thursday night that the missing information includes Social Security numbers for about 150,000 people. The information was on a backup computer tape that was discovered missing last October. It was being stored at a warehouse run by Iron Mountain Inc., a data storage company, and was never checked out but can’t be found either, said Richard C. Jones, a spokesman for GE Money, part of General Electric Capital Corp. http://www.msnbc.msn.com/id/22718442/ (MSNBC – 1/17/08) Carphone Warehouse in 'serious' data breach Carphone Warehouse has been warned it could face prosecution for exposing the personal details of thousands of customers online and, in some cases, inadvertently setting debt collectors on them. The Information Commissioner's Office (ICO) said the Carphone Warehouse, and its sister company TalkTalk, could face the possibility of an unlimited fine if their data-protection and compliance systems are not brought up to scratch within 35 days of being notified last week. An ICO spokeswoman said: "If they fail to comply with the enforcement notice, it can lead to prosecution where they could face a fine of up to £5,000 in the magistrates court or an unlimited fine in the crown court." The spokeswoman said the ICO had received the first complaints from customers about a year ago and is still receiving complaints relating to the issues. http://news.zdnet.co.uk/security/0,1000000189,39292224,00.htm (ZDNet News – 1/17/08) 4
  5. 5. Hospital staff ID is ‘lost’ in data blunder Sensitive data spanning 20 years has gone missing from a hospital. Records containing names, addresses, national insurance numbers and bank details of staff at Queen Mary's Hospital, Sidcup, disappeared last October but staff were only told on Tuesday. NHS bosses are clueless as to how the incident happened and insist that there is no evidence that the data was stolen. This latest ID scandal happened just the day before government discs, containing 25 million child benefit records from families across the county, went missing in the post. http://www.bexleytimes.co.uk/content/bexley/times/news/story.aspx? brand=BXYOnline&category=news&tBrand=northlondon24&tCategory=newsbxy&itemid=WeED16%20Jan %202008%2017%3A02%3A37%3A830 (Bexley Times [UK] – 1/16/08) UW staff's personal data was on public Web site at least a year UW-Madison officials waited more than a month before advising more than 200 faculty and staff members of a potential exposure of their personal information on the Internet last year. The personal information -- including e- mail addresses, phone numbers and Social Security-based campus ID numbers of faculty and staff who made purchases from the DoIT computer shop -- had been accessible on a campus Internet site for at least a year, said Brian Rust, communications manager for the UW's department of information technology. Rust said the employees involved in the exposure were reprimanded, but declined to say what exactly their punishment entailed. http://www.madison.com/tct/news/267604 (The Madison [WI] Capital-Times – 1/16/08) Dahlgren warns workers about ID theft A 13-year-old report listing names, Social Security numbers and birth dates for Navy employees is raising concern over identity theft at Dahlgren. Officials at the Naval Surface Warfare Center are warning past and present employees that their identities--and credit ratings--could be at risk. According to a news release, two pages of a Naval Surface Warfare Center Employment Verification Report dated July, 7, 1994, were found when four people were arrested in Bensalem Township, Pa., last week for attempted identity fraud. A Navy employee was notified by the Bensalem police that someone had stolen his identity and was trying to use his credit card to buy a television. http://fredericksburg.com/News/FLS/2008/012008/01152008/348406 (Fredericksburg [VA] Free Lance-Star – 1/15/08) Election Commission laptop harddrive found Metro Police confirmed late Thursday they have recovered the hard drive from the laptop computer, containing names and complete Social Security numbers for 337,000 registered voters, that was stolen from the Election Commission in December. Police said Election Commission staff viewed and confirmed the information stored on the seized hard drive came from the stolen computer that gave them the most concern. Computer experts have begun the process of examining the files and data components to determine if they have been accessed or tampered with, according to police. http://www.nashvillecitypaper.com/news.php?viewStory=58576 )Nashville City Paper – 1/18/07) Also See: • Nashville Laptop Theft May Cost $1 Million http://www.infoworld.com/article/08/01/14/Nashville-laptop-theft-may-cost-1-million-dollars_1.html (InfoWorld – 1/14/08) • City offers free identity theft protection to voters http://www.nashvillecitypaper.com/news.php?viewStory=58495 (Nashville City Paper – 1/10/08) Tennessee Tech loses Social Security numbers of 990 students A portable storage drive containing the names and Social Security numbers of 990 Tennessee Tech University students has been lost, according to university officials. The school notified students today who lived in Capital Quad and Crawford residence halls during the fall 2007 semester that their information could be at risk. On Jan. 4 a school employee transferred the information onto a portable flash drive when the printer where he was working did not print, Greppin said. The employee, who was not named, noticed the drive was missing on the morning of Jan. 5. School officials searched for the drive all last week, Greppin said. http://www.tennessean.com/apps/pbcs.dll/article? AID=/20080114/NEWS04/80114105/1001/NEWS 5
  6. 6. (The Tennessean – 1/14/08) Suffolk social services agency warns clients of possible security breach The Department of Social Services has mailed about 1,500 letters to warn of a "potential security breach" involving a department computer that police suspect was used to commit fraud. The city does not believe any clients' personal information was compromised, and there is no evidence the data used for the fraud was retrieved from the computer, said Leonard Horton, director of Social Services. Kia James, 26, is accused of using her work computer while employed by Social Services last summer to apply for a credit card using her landlord's information, according to a search warrant and criminal complaint. http://hamptonroads.com/2008/01/suffolk-social-services-agency-warns-clients-possible-security-breach (Virginia Pilot – 1/11/08) UGA Contacting 4,000 After Computer Breached by Hacker Over 4,000 University of Georgia's current, former, and prospective students were exposed by a security breach involving a hacked server in late December. The server, which contained personal information such as Social Security numbers, names, and addresses of UGA students, alumni, and applicants, was infiltrated by an overseas IP address. "It seemed to be one of those things where the door was opened, but no one walked in," says UGA's Tom Jackson. Though there has been no evidence that the cybercriminal copied or retained the data, those exposed will still be notified of the breach, and the affected server was taken offline. The university has tracked the country from which the IP address came, but Jackson said UGA would refrain from related comments. http://www.ajc.com/metro/ content/metro/stories/2008/01/09/ugacomputer_0109.html (Associated Press – 1/09/08) E-COMMERCE Study: Online Privacy Concerns Increase Privacy concerns stemming from online shopping rose in 2007, a new study finds, as the loss or theft of credit card information and other personal data soared to unprecedented levels. Sixty-one percent of adult Americans said they were very or extremely concerned about the privacy of personal information when buying online, an increase from 47 percent in 2006. People who do not shop online tend to be more worried, as are newer Internet users, regardless of whether they buy things on the Internet, according to the survey from the University of Southern California's Center for the Digital Future. Privacy and security groups report that an increasing number of personal records are being compromised because of data breaches at online retailers, banks, government agencies and corporations. The Identity Theft Resource Center, for instance, listed more than 125 million records reported compromised in the United States last year. That's a sixfold increase from the nearly 20 million records reported in 2006. http://ap.google.com/article/ALeqM5j8J13SO5pDSyJtLjP0hhylxxVv0wD8U74HSO0 (Associated Press – 1/16/08) EDITORIALS & OPINION Surrendering ever more of our privacy It’s a sobering thought as we ponder how much privacy we’ve surrendered, most of it in the last seven years to government agencies. And it’s not just the feds. Local officials also have jumped on the spying bandwagon, and it has been easy — too easy — to quietly accept it all. But now I’m beginning to feel like that guy in the poem who never complained about the Nazis until they actually came for him. It didn’t bother me too much when City Hall proposed putting cameras at intersections to catch drivers who run red lights. I obey traffic signals, so I wasn’t too worried. It didn’t upset me when officials bragged of their ability to keep tabs on New Year’s Eve revelers downtown with a portable surveillance camera so sophisticated it can pick out a face in a crowd. I wasn’t going downtown that night, anyway. It didn’t even get my blood boiling when the Brown administration announced plans to install up to 100 of the cameras in the city soon to stem crime. I’m not a criminal, so why should I worry? http://www.buffalonews.com/cityregion/story/253721.html (Buffalo News – 1/17/08) 6
  7. 7. I vote for mandatory encryption I can't believe that it's happened again - yet another laptop has been stolen. That's bad enough, but (no surprise) the data on that laptop was unencrypted. This time thieves struck in Nashville's Davidson County. Worse than just the laptop getting stolen is the fact that it contained sensitive information of all of the county's 337,000 registered voters (including Social Security numbers). Who knows whose lap this laptop will fall into - there's a good chance the thieves have/had no idea what it contained. But if they do, I'm pretty sure they're not above selling it to someone who knows just how to take advantage of it. Trusted establishments and organizations have a duty to ensure that customer/client information remains unreachable by unauthorized persons. http://blogs.computerworld.com/i_vote_for_mandatory_encryption (Computer World – 1/16/08) Personal Data Should be Handled Like Spent Nuclear Fuel Private data is so dangerous and volatile if mishandled and its power to damage lasts so long that one author claims it needs to be viewed like "Hot Nuclear Waste." Personal information is precious to those to whom it belongs to, highly damaging to their security and future prospects if exposed and needs to be treated as if it is a dangerous threat to all of society when not handled with the utmost care and respect. Since the Internet age is still developing we have yet to develop all the cannons of ethics and disciplines of procedure that future generations will take for granted. But the time has come to draw up these industry-wide data care rules of thumb and back them up on the Government side with harsh laws that will even include long jail stretches for worst case scenarios. http://www.ibls.com/internet_law_news_portal_view.aspx?s=latestnews&id=1960 (Internet Business Law Services – 1/16/08) Security and Convenience at the Borders Radio frequency identification (RFID) technology is used today in car keys, highway tolls and mass transit cards. It is wrong to assert that using vicinity RFID technology in passport cards and other travel documents is "fundamentally weakening border security and privacy. With more than 300 million yearly land border crossings, seconds count. As the State Department said, the RFID documents allow the exchange and verification of information to begin before the traveler reaches the inspection booth, a proven practice in cross-border traveler programs for more than 10 years. We take seriously the protection of privacy. The passport card will not contain or transmit any personally identifiable information. The chip sends a number that has meaning only to a secure database. Further, the cards will contain shields to counter any possible skimming and tracking. http://www.washingtonpost.com/wp-dyn/content/article/2008/01/10/AR2008011003292.html (Washington Post – 1/11/08) IT and the Changing Privacy Landscape: Eight Areas to Watch in '08 In the waning days of the 20th century, privacy was more a marketing hook than an obligation, focused on customer preference and features to help companies earn a competitive edge. Privacy today is a concept more closely associated with the potential for abuse and the real threat of inappropriate access or exposure, identity theft, fraud— with the responsibility resting on the shoulders of any organization handling personal information for consumers, customers, employees or business partners. The privacy landscape, relative to IT, is becoming increasingly complex, shaped not just by the tenets of good business but by the demands of a regulatory environment with newly stringent standards. Faced with a plethora of national privacy and data protection laws, labor laws, and trade union and works council agreements, organizations are in a constant exercise to protect the information they hold and the privacy of their workforce. Meeting privacy standards has now become inextricably linked with meeting strategic business initiatives as IT professionals find themselves in more demand and with more on their plates. http://www.cio.com/article/168150/IT_and_the_Changing_Privacy_Landscape_Eight_Areas_to_Watch_in_/1 (CIO.com – 12/28/07) 7
  8. 8. EDUCATION Company gets kindergartners' Social Security numbers, data Texas school districts are handing over Social Security numbers, dates of birth and other sensitive information about the state's kindergarten students to a private software company without permission from the children's parents. State education officials who set up the unusual arrangement insist that the information is safe. But some educators and parents worry about sending student Social Security numbers to a private company hired to store kindergarten reading test scores. A privacy expert says thousands of 5- and 6-year-olds are vulnerable to identity theft as a result. "I would hope that any company that had the financial future of every single kindergartner in Texas would be put through the mill as far as security," said David Holtzman, a former security analyst and author of “Privacy Lost.” http://www.dallasnews.com/sharedcontent/dws/dn/education/stories/011208dnmetkinderprivacy.2c1f955.html (Dallas Morning News – 1/12/08) EMPLOYEE Bosses' Hi-tech Spying Tactics Do Not Compute Watch what you're doing when you sit down at your office desk. Because the technology exists to let Big Brother watch your every move. In the future, some bosses will be able to opt for the ultimate hi-tech package to keep an eye on staff. Giant company Microsoft is developing software involving wireless sensors linking employees to a computer. It then monitors their heart rates, stress levels, brain signals and even facial expressions. The technology has already been used to make sure pilots, firefighters and astronauts are doing their jobs well. The data is recorded to allow bosses to measure workers' productivity, physical well-being and ability to do their jobs. http://www.thisisaberdeen.co.uk/displayNode.jsp? nodeId=148761&command=displayContent&sourceNode=148425&contentPK=19580937&folderPk=85598&pNod eId=148352 (this is Aberdeen – 1/17/08) FINANCIAL SEC takes strict view on client data In an argument about a potential violation of a privacy regulation in the brokerage industry, the SEC is taking an extremely strict and narrow view of how registered representatives can use client information when they switch firms. The issue of mishandling clients' private information when a broker-dealer recruits reps and advisers is at the center of the Securities and Exchange Commission division of enforcement's move to obtain a cease-and-desist order against NEXT Financial Group of Houston, an independent-contractor firm with 886 affiliated reps. Last month, an SEC administrative judge in Houston heard arguments about whether NEXT Financial violated Regulation S-P, which is the securities industry's implementation of stricter privacy laws under the Gramm-Leach- Bliley Act of 2000. http://www.investmentnews.com/apps/pbcs.dll/article?AID=/20080114/REG/715417580 (Investment News – 1/14/08) GOVERNMENT – U.S. FEDERAL US intel chief wants carte blanche to peep all 'Net traffic Director of National Intelligence Mike McConnell discusses a plan in the works to dramatically expand online surveillance. As The Wall Street Journal sums it up, "in order to accomplish his plan, the government must have the ability to read all the information crossing the Internet in the United States in order to protect it from abuse." The unfinished CyberSecurity initiative is in large part aimed at blocking attempts to attack the US' information infrastructure. http://arstechnica.com/news.ars/post/20080117-us-intel-chief-wants-carte-blanche-to-peep-all-net-traffic.html (ArsTechnica – 1/17/08) 8
  9. 9. Big Brother Really Is Watching As soon as you walk into the airport, the machines are watching. As you answer a few questions at the security checkpoint, the systems begin sizing you up. An array of sensors -- video, audio, laser, infrared -- feeds a stream of real-time data about you to a computer that uses specially developed algorithms to spot suspicious people. The system interprets your gestures and facial expressions, analyzes your voice and virtually probes your body to determine your temperature, heart rate, respiration rate and other physiological characteristics -- all in an effort to determine whether you are trying to deceive. Fail the test, and you'll be pulled aside for a more aggressive interrogation and searches. That scenario may sound like science fiction, but the U.S. Department of Homeland Security (DHS) is deadly serous about making it a reality. http://www.computerworld.com/action/article.do? command=viewArticleBasic&articleId=9055198&intsrc=hm_ts_head (Computer World – 1/14/08) DHS Extends Real ID Deadline, but Funding and Privacy Questions Remain After nearly three years of leaving states to twist in the wind, the Department of Homeland Security released the final regulations for Real ID. The Real ID Act, which became law in 2005, mandates national standards for the issuance of state drivers' licenses. Among the many criticisms leveled at the legislation was the fact that it was passed without having a complete set of rules dictating the details of how, exactly, states were supposed to comply with the law. http://www.govtech.com/gt/250777?topic=117671 (Government Technology – 1/17/08) Also see: • Secure ID plans raise privacy concerns http://www.buffalonews.com/cityregion/story/250352.html (The Buffalo News – 1/13/08) • Remarks by Homeland Security Secretary Michael Chertoff at a Press Conference on REAL ID http://www.dhs.gov/xnews/speeches/sp_1200320940276.shtm (Department of Homeland Security – 1/11/08) • Civil Liberties Groups, Lawmakers Oppose Real ID Act on Grounds of Privacy http://www.allheadlinenews.com/articles/7009694426 (All Headline News – 1/12/08) • States Will Get More Time for Secure ID Plan http://www.washingtonpost.com/wp-dyn/content/article/2008/01/10/AR2008011003971.html (Washington Post – 1/11/08) • Sununu Co-sponsors Effort to Repeal Real ID http://www.boston.com/news/local/new_hampshire/articles/2008/01/11/sununu_co_sponsors_effort_to_rep eal_the_real_id/ (Boston Globe – 1/11/08) Fliers' Data Left Exposed, Report Says A Transportation Security Administration Web site designed to help travelers incorrectly branded by the government as a "threat to aviation" remove their names from airline security watch lists has been found to be insecure, according to a recent congressional report. The vulnerabilities were discovered by Chris Soghoian, a graduate student at Indiana University, a few months after the site was launched. Soghoian says the site's appearance was so poor that he first thought it was a "phishing" site, or one created by hackers to trick people into divulging personal information. In addition, Soghoian discovered that the site had security holes that would allow hackers to steal the personal information of hundreds of people. http://www.washingtonpost.com/wp-dyn/content/article/2008/01/11/AR2008011103664.html (Washington Post – 1/12/08) Government Urged to Standardize Data Encryption Standards The Government Accountability Office has named the IRS among federal agencies that fail to observe encryption protocols. The Department of Homeland Security has yet to submit a final proposal for a unified encryption standard, a factor that security experts say is crucial to the protection of sensitive information. Several different kinds of encryption exist, and there remains no standard for government software or vendors. Federal CIOs also report that employees will circumvent encryption protocols if the task seems onerous or time-consuming. http://www.govexec.com/story_page.cfm?articleid=39012&dcn=todaysnews 9
  10. 10. (CongressDaily – 1/11/08) GOVERNMENT – U.S. STATES States face Real ID privacy dilemma A major issue slowing progress on Real ID implementation is whether states should share copies of identification documents or only confirm information. Until there is an answer to that question, developing back-end information technology systems to support the initiative will be difficult. Privacy may hang in the balance. Some advocates believe the risks of identity theft and loss of personal privacy in Real ID may be lessened if states use a pointer system to verify critical personal information from birth certificates and other documents held in other states. States would query one another to confirm information without sharing the documents themselves. "A pointer system is acceptable," said Barry Steinhardt, director of the technology and liberty program for the American Civil Liberties Union. " http://www.washingtontechnology.com/print/23_01/32081-1.html (Washington Technology – 1/14/08) CALIFORNIA Securing So Cal Recent high-profile laptop thefts and losses have prompted federal departments to take action. Los Angeles County has had its share of stolen laptops, some of which contained sensitive data. Worried about the possibility of another laptop theft, the L.A. County Board of Supervisors resolved to launch a major encryption initiative. The county's objective is to respond to all laptop thefts as though the criminal's aim is to exploit sensitive data. Therefore, officials decided that all L.A. County laptops, whether or not they house sensitive data, would be encrypted, explains county CISO Al Brusewit. In addition, officials decided that users would not be permitted to disable the encryption. http://govtsecurity.com/state_local_security/securing_cal/ (Government Security – 12/07) MASSACHUSETTS Businesses say data security rules would be too expensive New rules proposed by the Patrick administration to guard against the loss of personal and credit data drew fire yesterday from businesses that said many of the regulations would prove too costly to implement. The rules would set standards for how businesses should protect personal information, requiring that they use a relatively strong level of encryption to protect files sent across public networks, and retain records of their employees' access to customers' electronic information. Yesterday, some of the state's largest trade groups weighed in with strong objections, including the Retailers Association of Massachusetts, whose members include supermarkets and chain stores, and communications companies including Verizon Communications Inc., Comcast Corp., and AT&T Inc. The trade groups argued the rules would have unintended consequences and prove costly, such as a requirement that companies keep an inventory of records of personal information and the hardware used to store them. http://www.boston.com/business/globe/articles/2008/01/12/businesses_say_data_security_rules_would_be_too_exp ensive/ (Boston Globe – 1/12/08) NEBRASKA Nebraska Publishes Identity Theft Repair Kit Nebraska Attorney General Jon Bruning and Lincoln Postal Inspector Kerry Kowalski recently unveiled an Identity Theft Repair Kit to guide victims through the process of repairing their credit as part of National Consumer Protection Week Feb. 4-10. "Identity theft is crippling to its victims, both financially and emotionally," Bruning said. "This repair kit gives consumers peace of mind and a road map for minimizing the damage to their good name and credit." http://www.govtech.com/gt/articles/248775? utm_source=newsletter&utm_medium=email&utm_campaign=DC_2008_1_15 (Government Technology – 1/15/08) 10
  11. 11. OHIO Q&A: Ohio Secretary of State Looks Anew at E-Voting In the "Evaluation & Validation of Election-Related Equipment, Standards & Testing" (EVERST) report, Ohio Secretary of State Jennifer Brunner made several suggestions to Ohio Governor Ted Strickland and state legislators, including eliminating direct-recording electronic (DRE) touch-screen machines and switching to a centralized ballot counting system. During a recent interview Brunner detailed various findings of the report and described some of the report's results, including potential weaknesses with optical-scan units. Brunner says that several independent, parallel tests were conducted, including tests by academic researchers and corporate scientists, and that the independent tests generated similar and sometimes identical results. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9056799&intsrc=hm_list (Computerworld – 1/14/08) Final ‘Real ID’ Rules Issued; Ohio First to Receive Extension The latest and final regulations proposed for the national Real ID program could shave costs off what states estimated to be an $11 billion hit under the new identification card safety mandates, the National Conference of State Legislatures said Friday. Ohio is the first state to be approved for an extension to comply with the Real ID Act provisions by the U.S. Department of Homeland Security, according to the state. The first compliance deadline is Dec. 31, 2009, by which states must have implemented the first security upgrade of their drivers' license systems. http://www.gongwer-oh.com/programming/login.cfm?link=http://www.gongwer- oh.com/programming/news_articledisplay.cfm? article_ID=770080205%26newsedition_id=7700802&CFID=57610&CFTOKEN=75464482 (Gongwer News Ohio – 1/11/08) WISCONSIN Editorial: Full audit needed on latest privacy breach in state In return for the taxes they pay, people expect their government to serve them, not put them in jeopardy. That's why we thought the state would take the steps necessary to avoid a repeat of last year's breach of privacy that allowed the Social Security numbers of 170,000 state residents to be printed on a mailing of income tax booklets. Apparently it did not. Some 260,000 state residents who participate in Medicaid, BadgerCare or SeniorCare had their Social Security number printed on a mailing from the state Department of Health and Human Services. The state agency has blamed the mistake on EDS Corp., the Texas-based company that processes claims for the state-run programs and actually sent out the mailing. The blame for this latest screw-up may lie with EDS, but the people in Health and Human Services have the responsibility of to ensure that such private information doesn't get disclosed. http://www.sheboygan-press.com/apps/pbcs.dll/article?AID=/20080113/SHE06/801130455/1883 (The Sheboygan Press – 1/13/08) HEALTH & MEDICAL Privacy at risk in Vt. prescription drug database Lawmakers Tuesday complained that a new electronic database of prescription drug records goes too far into the private lives of Vermonters. Members of the House Human Services Committee, who worked on the plan creating the state-run database of all prescribed drugs in Vermont, said the program now appears to have powers beyond what they envisioned when they passed it two years ago. Committee members said the proposed policies of the Vermont Prescription Drug Monitoring Program would allow the state to collect too much information on people prescribed medication and share it with too many other state government employees. Bowing to privacy concerns, the bill passed in 2006 called for the commissioner of the Vermont Department of Health "personally" to share that prescription drug data to the commissioner of the Vermont Department of Public Safety "personally." But the proposed rules for the law would now allow lower-level officials within the two departments to give and receive the sensitive information. http://www.timesargus.com/apps/pbcs.dll/article?AID=/20080116/NEWS01/801160350/1002/NEWS01 (Montpelier Times Argues – 1/16/08) 11
  12. 12. Experts say e-prescribing will be first and hottest Health IT issue in 2008 Experts for and against electronic e-prescribing all feel it will bubble up as one of the hottest and most debated health information technology issues in 2008. According to Deborah Peel, MD, founder of Patient Privacy Rights, when it comes to healthcare IT, Congress is likely to address e-prescribing first because it may seem a simple and somewhat easy place to start. Peel has major concerns, however, with the routine sale of e-prescribing data, a current practice that does not require a patient's consent. "No privacy group will support e-prescribing unless patients have control," Peel said. "It would be insane." In December, Sen. John Kerry (D-Mass. ) introduced a bill that would require physicians who treat Medicare patients to use electronic prescribing, starting Jan. 1, 2011. http://www.healthcareitnews.com/story.cms?id=8383 (Healthcare IT News – 1/14/08) IDENTITY THEFT Major Retailer's" Data Breach Results In Wave Of Credit Card Fraud? Anecdotal evidence suggests that a recently reported data breach by an undisclosed "major retailer" has resulted in a jump in consumers having their debit cards forcibly reissued, or calls from their bank to verify their recent purchase history. The problems seem to have started just around Christmas time and have continued into mid-January. The thefts cut across all types of credit cards, but one of the common threads is that the cards are being used to purchase physical products in-store. This is a contrast to the big credit card reissue last year when stolen debit cards were being used to make fraudulent ATM withdrawals. http://consumerist.com/345016/major-retailers-data-breach-results-in-wave-of-credit-card-fraud (Consumerist – 1/15/08) INTERNATIONAL AFRICA ASIA/PACIFIC AUSTRALIA Medicare to set up healthcare identifier service Medicare will create individual healthcare identifiers for Australians from personal information held in its databases under a $51.6 million contract with the National E-Health Transition Authority. Human Services Minister Joe Ludwig said the Unique Healthcare Identifier (UHI) system would be designed and built by Medicare to support a nationwide shared electronic health records system. Senator Ludwig has also promised legislation to underpin the identifier service, and committed to an independent privacy impact assessment before operations commence. http://www.theaustralian.news.com.au/story/0,25197,23051378-23289,00.html (The Australian – 1/15/08) MALAYSIA After 10 years in limbo, your privacy remains at stake The Personal Data Protection Bill was drafted in 1998 but was never tabled in Parliament. After seven workshops and more feedback, a redraft was done in 2001. But even that remains in limbo. In the meantime, the personal data of Malaysians - including their financial records and contact numbers - remain open to abuse. Will the waiting continue? Instances of personal data being shared by various third parties without the individual's permission abound. They are set to keep increasing, especially with electronic transactions gaining momentum. And more so since there is no law prohibiting its abuse. That, say consumer advocates, is rather sad. After 10 years, two ministers and a name change for the ministry concerned, the Personal Data Protection Bill remains a bill. http://www.nst.com.my/Current_News/NST/Sunday/National/2131002/Article/index_html (New Strait Times [Malaysia] – 1/12/08) 12
  13. 13. EUROPE GERMANY Privacy Debate Runs Hot in Germany Ten years ago, Germany introduced a highly controversial eavesdropping law, which was later overturned by the courts. A decade later, however, advocates argue people's right to privacy is continuing to be eroded. The German "Eavesdropping Law" was passed by parliament on Jan. 16, 1998, amid a huge public outcry over concerns that people's private sphere was being invaded. The law allowed authorities to secretly plant bugs and microphones inside people's homes -- a domain which was previously seen as inviolable under the country's constitution. http://www.dw-world.de/dw/article/0,2144,3063735,00.html (DW-World – 1/17/08) TURKEY Cameras in Istanbul, sacrificing privacy for security Surveillance cameras installed in many parts of Istanbul and recently on its ferries are reminiscent of scenes described in George Orwell's book, “1984.” Although Istanbul became acquainted with the cameras of the Mobile Electronic System Integration Project (MOBESE) three years ago, the debate on the use of these cameras for security purposes resurfaced recently when it was reported that some of the suspects behind the recent spree of car torchings were identified through them. The number of cameras has increased as Istanbul Sea buses and Fast Ferries Inc. (IDO), that operates the city's ferry routes, recently installed a total of 550 cameras on all of its 32 ferries and 35 terminals. http://www.turkishdailynews.com.tr/article.php?enewsid=93474 (Turkish Daily News – 1/12/08) UNITED KINGDOM Prisoners 'to be chipped like dogs' Ministers are planning to implant "machine-readable" microchips under the skin of thousands of offenders as part of an expansion of the electronic tagging scheme that would create more space in British jails. Amid concerns about the security of existing tagging systems and prison overcrowding, the Ministry of Justice is investigating the use of satellite and radio-wave technology to monitor criminals. But, instead of being contained in bracelets worn around the ankle, the tiny chips would be surgically inserted under the skin of offenders in the community, to help enforce home curfews. The radio frequency identification (RFID) tags, as long as two grains of rice, are able to carry scanable personal information about individuals, including their identities, address and offending record. The tags, labelled "spychips" by privacy campaigners, are already used around the world to keep track of dogs, cats, cattle and airport luggage, but there is no record of the technology being used to monitor offenders in the community. The chips are also being considered as a method of helping to keep order within prisons. http://news.independent.co.uk/uk/politics/article3333852.ece (The UK Independent – 1/13/08) MIDDLE EAST NORTH AMERICA CANADA Ottawa urged to draft data breach notification law In order to encourage major corporations to put greater emphasis on data security, an Ottawa-based public policy organization is calling for the creation of a publicly-accessible electronic registry for corporate data breaches. Responding to an Industry Canada request for public consultation on data security laws, the University of Ottawa’s Canadian Internet Policy and Public Interest Clinic (CIPPIC) this week recommended that mandatory reporting of data breaches to a public registry is the most effective way to persuade corporations to shore up their potential security risks. http://www.itworldcanada.com/a/News/2a5dabd3-706d-41a9-b8f2-60f7a40b230a.html (ITWorldCanada – 1/18/08) 13
  14. 14. SOUTH AMERICA LEGISLATION – FEDERAL The Time Is Now (Better Yet, Yesterday) For A Federal Data Breach Disclosure Law It'll soon be five years since the California data breach disclosure law, better known as SB 1386, went into effect. So far the law has had some success. But we need a federal standard. For certain, the number of public security breach disclosures have risen dramatically since the law went into effect. Including a number of blockbusters, such as those at ChoicePoint, TJX, and the VA. Prior to SB 1386, too many (read: nearly all) companies opted to ignore the data theft. But this newfound visibility has done little to help customers whose financially-related account information has been placed at risk. http://www.informationweek.com/blog/main/archives/2008/01/the_time_is_now.html (Information Week – 1/15/08) LEGISLATION – STATE MISSOURI New Missouri bill thumbs its nose at federal Real ID Act Missouri would defy federal drivers licensing requirements in the name of privacy under a bill filed by a crusading legislator Thursday. Sponsored by Rep. Jim Guest, the bill would prohibit Missouri from complying with the Real ID Act of 2005. Responding to security concerns after Sept. 11, Congress passed the program, which sets common licensing rules that essentially make it harder to falsely obtain a drivers license. Since then, Guest, a Republican from King City in northwest Missouri, has been rounding up other states to oppose the law based on privacy concerns. "We have a federal government that is out of control," Guest said. The Legislature overwhelmingly passed a resolution asking the federal government to repeal the program last year; Guest's bill would go a step further by prohibiting the state from participating in the program entirely. http://www.stltoday.com/stltoday/news/stories.nsf/missouristatenews/story/2EB80BAA10268E7A862573D4001859 66?OpenDocument (STLtoday.com – 1/17/08) NEW HAMPSHIRE Product-tracking bill held for more study You probably have them in your cell phone, and maybe even your loafers -- tiny radio chips a warehouse and a big box store can scan to track each retail item, from loading ramp to loading ramp, from display shelf to purse. They cut losses to theft. They control inventory. But they also raise concerns among privacy advocates. One of those advocates, Rep. Neal Kurk, R-Weare, is the sponsor of House Bill 686, which would force a store to put a “buyer beware” label or symbol on every product that contains one of those radio frequency identification – or RFID -- chips. http://nhbr.com/apps/pbcs.dll/article?AID=/20080117/NEWS06/254701531 (New Hampshire Business Review – 1/17/08) SOUTH DAKOTA Privacy measure to be debated A bill to deny public access to birth dates on master voter-registration lists is scheduled for a committee hearing this morning in the South Dakota Legislature. The measure is to be heard in the Senate Local Government Committee, scheduled for a 7:45 a.m. start. Secretary of State Chris Nelson says even if the bill passes, people could go to county courthouses and find birth dates on the individual voter registration cards. A compromise was being discussed to keep the year of birth on the master lists but not the month and day. Supporters say that would let political parties and candidates and others interested in age-group data find at least general ages. http://www.argusleader.com/apps/pbcs.dll/article?AID=/20080114/MORNINGEXPRESS/80114009/1001/NEWS (Sioux Falls [SD] Argus Leader – 1/14/08) 14
  15. 15. VIRGINIA College donor privacy at issue At the request of the University of Virginia, two state lawmakers have introduced a bill that would allow the university to keep private the identities of donors who wish to stay anonymous. The bill - sponsored by Sen. Edward Houck, R-Spotsylvania, and Del. Glenn Oder, R-Newport News - would grant Virginia’s higher education institutions an exemption under the Freedom of Information Act to withhold a vast amount of personal information about their donors. UVa officials say they need to protect the privacy of donors. Open government advocates, on the other hand, point out that UVa is a public institution and argue that its finances must be transparent to ensure accountability. http://www.dailyprogress.com/servlet/Satellite?pagename=CDP%2FMGArticle %2FCDP_BasicArticle&c=MGArticle&cid=1173354193476&path=!news (Daily Progress – 1/13/08) LITIGATION & ENFORCEMENT ACTIONS Life is Good settles security charges with FTC Clothing retailer Life is Good Inc. has settled with the Federal Trade Commission over charges it did not properly secure shoppers' personal information. The FTC alleged that the company stored credit card information indefinitely on computers, without using proper encryption software or access controls. As a result, the FTC alleges that a hacker was able to attack Life is Good's Web site to access credit card numbers, expiration dates, and security codes of thousands of customers. http://www.bizjournals.com/boston/stories/2008/01/14/daily64.html (Boston Business Journal – 1/17/08) MOBILE/WI-FI ODDS & ENDS Super Bowl Security Plans Take Shape As football fans get ready for NFL's conference championship weekend to see which teams will compete in Super Bowl XLII in Arizona next month, homeland security and FBI officials have completed a threat assessment to help officials plan security for the event. Although there is no credible threat information indicating an increased concern of attack in the United States, federal authorities have advised event planners and law enforcement to look for any signs of terrorist activity and to be vigilant. http://www.abcnews.go.com/TheLaw/story?id=4148574&page=1 (ABC News – 1/17/08) Food Commercials Reach the Supermarket Microsoft Corp. is bringing digital advertising to the grocery cart. The software maker spent four years working with Plano, Texas-based MediaCart Holdings Inc. on a grocery cart-mounted console that helps shoppers find products in the store, then scan and pay for their items without waiting in the checkout line. The companies plan to test MediaCart in ShopRite supermarkets on the East Coast. Customers with a ShopRite loyalty card will be able to log into a Web site at home and type in their grocery lists; when they get to the store and swipe their card on the MediaCart console, the list will appear. As shoppers scan their items and place them in their cart, the console gives a running price tally and checks items off the shopping list. The system also uses radio-frequency identification to sense where the shopper's cart is in the store. The RFID data can help ShopRite and food makers understand shopping patterns, and the technology can also be used to send certain advertisements to people at certain points - an ad for 50 cents off Oreos, for example, when a shopper enters the cookie aisle. http://hosted.ap.org/dynamic/stories/M/MICROSOFT_SHOPPING_CARTS? SITE=OHCOL&SECTION=HOME&TEMPLATE=DEFAULT (Associated Press – 1/14/08) 15
  16. 16. Visual additions to map sites raise privacy, safety questions What Kory Dunton saw recently from behind the wheel of her Chevrolet, Tina Winslow will soon be able to access from her Mac Pro. Winslow is intrigued by the prospect, but also a bit worried. "All I can say is that I'm glad they're on our side," said Winslow, who owns an interactive marketing agency in Dallas. "I'm a little nervous that not everybody who has this technology will always be on our side." Dunton, 23, of Boston, was on one of two teams from a young company named EveryScape that have driven the streets of Dallas with four fish-eye-lens cameras strapped to the roofs of their cars. http://www.kristv.com/Global/story.asp?S=7617381 (KRISTV, Corpus Christi, TX – 1/13/08) ONLINE Social, work lives collide on networking websites Just after her honeymoon last March, Wadooah Wali took the de rigueur next step these days: She changed her status on the networking websites Facebook and MySpace from "in a relationship" to "married" and posted pictures of her partner — another woman. The well-wishes from friends and family poured in, stoking Wali's happiness. Then came a note that jolted her, noticeable for what it didn't say. No congratulations. Just: "Nice pictures." It was from a professional contact Wali hardly knew — someone to whom she never would have sent something as personal as a wedding announcement, let alone pictures. Wali likes to keep her personal life separate from her professional acquaintances, wary that some might react negatively to her sexual orientation. But suddenly her social circles had collided. http://www.usatoday.com/tech/webguide/internetlife/2008-01-17-social-network-nobarriers_N.htm (USA Today – 1/18/08) More people worried about Net privacy, study finds Privacy concerns stemming from online shopping rose in 2007, a new survey finds, as the loss or theft of credit card information and other personal data soared to unprecedented levels. Sixty-one percent of adult Americans said they were very or extremely concerned about the privacy of personal information when buying online, an increase from 47 percent in 2006. Before last year, that figure had largely been dropping since 2001. http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/01/17/BUQHUGPCA.DTL (SF Gate – 1/17/08) MySpace Agrees to New Safety Measures Under mounting pressure from law enforcement and parents, MySpace agreed Monday to take steps to protect youngsters from online sexual predators and bullies, including searching for ways to better verify users' ages. The hugely popular online hangout will create a task force of industry professionals to improve the safety of users, and other social-networking sites will be invited to participate. ''We must keep telling children that they're not just typing into a computer. They're sharing themselves with the world,'' said North Carolina Attorney General Roy Cooper. The deal comes as sites such as MySpace and Facebook have grown exponentially in recent years, with teenagers making up a large part of their membership. This has created a new potential venue for sexual predators who lie about their age to lure young victims and for cyber bullies who send threatening and anonymous messages. The only state not joining the agreement was Texas, where the attorney general said he cannot support the effort unless MySpace takes action to verify users' ages. http://www.nytimes.com/aponline/technology/AP-MySpace-Agreement.html? _r=2&ref=technology&oref=slogin&oref=slogin (New York Times – 1/15/08) 16
  17. 17. RFID Hospitals tagging babies with electronic chips Over half the birthing facilities in Ohio are being equipped with an RFID infant protection system placed on infants at birth to prevent them from being abducted from the hospital or from being given to the wrong mother. "Standard protocol in the hospitals using the VeriChip system is that the baby receives an RFID anklet at birth and the mother receives a matching wristband," VeriChip spokeswoman Allison Tomek told WND. "The mothers are not asked." http://www.wnd.com/news/article.asp?ARTICLE_ID=59690 (World Net Daily – 1/15/08) Europe’s RFID Privacy Policy Might be a Mistake For almost two years now, the European Commission has been exploring the potential implications of radio frequency identification (see European Commission Works on RFID Policy). Realizing the importance of RFID, it has taken a proactive approach, funding several research projects that could spur adoption and enhance the competitiveness of European companies. The EC has also examined the implications RFID might have for consumer privacy, and is now close to publishing a report. I'm told it might recommend European retailers remove or deactivate RFID tags at the point of sale if requested by the consumer. It seems like a reasonable suggestion, and I wholeheartedly support a consumer's right to privacy. But the commission might be acting too hastily, because its recommendations could hurt European companies and slow RFID adoption in Europe—without actually enhancing consumer privacy. http://www.rfidjournal.com/blog/entry/3849 (RFID Journal – 1/14/08) SECURITY Weak Control System Security Threatens U.S. The weak security measures in place on infrastructure control systems may someday put U.S. utilities at risk of a coordinated attack, according to Jerry Dixon, the former acting director of the Homeland Security Department's National Cyber Security Division. Of particular concern to Dixon are the control systems to utility company substations. These systems are often controlled by dial-in modems, and often have outdated or nonexistent security and authentication technologies. Meanwhile, some of the control systems of utility company substations that are on a network are vulnerable to a crossover attack because they may be sharing their equipment with other, less sensitive systems. In addition, relatively little logging goes on with control systems, which makes it difficult to determine whether a failure is the result of an attack or misconfiguration. http://www.gcn.com/online/vol1_no1/45670-1.html (Government Computer News – 1/16/08) Top Ten Cyber Security Menaces for 2008 Listed Attacks on Web browsers--particularly plug-in components such as Flash and QuickTime--were named the top cybersecurity threat for 2008 by security experts at the SANS Institute, which recently released a top 10 list of this year's most dangerous threats. Browser components are being increasingly targeted because they are widely distributed and not automatically updated when the browser is updated. As a result, affected systems are vulnerable to attack for a longer period of time. Meanwhile, the increasing sophistication and effectiveness of botnets represent the second-biggest cybersecurity threat in 2008, according to SANS. Two new botnets, Storm and Nugache, operate through encrypted peer-to-peer channels, which means that there is no central server to shut down and botnet communication is difficult to block. Third on SANS' list is cyber espionage. SANS predicts that more data will be stolen from federal agencies and defense contractors by nation states such as China this year. In addition, more targets and increased sophistication will mean that the nation states that launch such attacks will enjoy a number of successes this year, the report predicts. http://www.informationweek.com/news/showArticle.jhtml?articleID=205604722 (InformationWeek – 1/15/08) 17
  18. 18. IM, Chat and P2P Network Attacks Up in 2007 Organizational networks--especially those with instant messaging and peer-to-peer sharing programs--risk greater exposure to viruses in 2008 than in previous years, predicts FaceTime Security Labs. A growing number of subversive greynets now operate on computer systems through such programs as real-time applications, IM, Internet protocol television, social networking sites, and search engine tool bars. FaceTime says that most organizations operate eight to 10 greynets on each system, and predicts the number of greynets in circulation worldwide will increase from more than 600 to more than 1,000 by the end of this year. Among IM programs, Microsoft MSN received 45 percent of all attacks, Yahoo experienced 20 percent, and AOL received 19 percent. "IT managers need to ensure the safe use of approved applications and effectively detect and block the rogue use of unapproved applications," says FaceTime's Frank Cabri. http://www.itpro.co.uk/news/154839/im-chat-and-p2p-network-attacks-up-in-2007.html (ITPro – 1/11/08) New Predictive Approach Seeks to Stay Ahead of Hackers Military and academic researchers from the Rochester Institute of Technology, the University of Buffalo, Pennsylvania State University, and the U.S. Air Force are working on CUBRIC, an intrusion prediction project that uses mathematical models and algorithms to predict a hacker's probable moves after having penetrated a network. "We want to be one step ahead of them and predict what they are going to do," says RIT computer engineering professor Shanchieh Jay Yang. "When they first get in, we try to observe what they are doing, and use that information to forecast their probable future actions." The goal of CUBRIC is to provide information on how an intruder will react to particular network defenses and architectures so that administrators can lessen damage and better protect their systems. Intrusion prediction modeling is meant to be a part of a larger network protection plan and is designed to defend against the different tactics used by network intruders, such as interrupting service or stealing data. http://www.eetimes.com/showArticle.jhtml?articleID=205602814 (EE Times – 11/11/08) Secure E-mail Standard Released The Transglobal Secure Collaboration Program has released a Secure Email standard that will be used among federal agencies for communication, as well as organizations communicating with the government. The U.K. Ministry of Defense, which formed the TCSP, and the United States Defense Department will deploy the standard. Through TSCP, securely encrypted email will be sent to parties that can be verified. The email protocol also includes measures for regulating the authentication of identity, validation, and access for an organization. Secure Email, which is similar to the Federal PKI Bridge, requires an end-user encryption certificate tool for unpublished digital certificates and features the ability to verify the legitimacy of certificates. As the government interacts with its own agencies as well as thousands of supply chains and contractors, Secure Email will serve to protect sensitive information traveling throughout these various portals. Although TCSP was created in 2002, project details were finished last year, and the DOD intends to launch a pilot this year. http://www.gcn.com/online/vol1_no1/45656-1.html (Government Computer News – 1/11/08) DDOS Botnets Thriving, Threatening A wave of distributed denial-of-service attacks has plagued Eastern Europe, cyberattacks that security experts say could permeate international boundaries. Throughout 2007, Machbot, Barracuda, and BlackEnergy botnets were the most common threats to Internet security, mass-deploying clandestine attacks. The DDOS attacks have been politically-oriented, targeting mostly federal sites in Estonia and surrounding countries, with the alleged perpetrators being potentially linked to Russian sects. Though the United States has not had any of these DDOS attacks targeted at government sites, Arbor Networks' Jose Nazario says these bots are "stealthier" than other bots, emphasizing the difficulty of detecting which URLs to block. Confounding their ability for detection, the bots use HTML commands, a factor often allowing them to slide under security radars. However, the codes are not encrypted, allowing researchers to more readily decode their commands. http://www.darkreading.com/document.asp?doc_id=142826&f_src=darkreading_informationweek (Dark Reading – 1/09/08) 18
  19. 19. Competition May Be Driving Surge in Botnets, Spam The operators of a sophisticated emerging botnet known as Nugache appear to be expanding their network and cutting prices in an effort to compete with rival botnet Storm, according to Secure Computing's Paul Henry. Henry notes that Nugache charges customers less than $100 to send out 1 million spam emails, while customers who send out more than 10 million emails are charged less than $80 per million. Those prices are partly to blame for the recent increase in foreign-language spam over the last several weeks, Henry says. In addition to price, the two botnets are also competing on size and reach. Although it is difficult to estimate Nugache's size because it uses a peer-to-peer architecture that does not require a command and control system, Secure Computing has been able to detect at least 300,000 to 400,000 Nugache bots per day. That would make Nugache at least competitive with Storm, which is believed to have as many as 10 million bots. http://www.darkreading.com/document.asp?doc_id=142690 (Dark Reading – 1/08/08) Security Dominates 2008 IT Agenda Security concerns are expected to dominate the network landscape in 2008, experts say. They are particularly concerned that Web sites and networks related to the 2008 Olympics in Beijing will be used to infect people's computers. Websense's Dan Hubbard says Olympics-related Web sites and networks will also be used as a lure for fraud. Another likely security problem this year are botnets with decentralized command-and-control structures that make them more difficult to shut down, says McAfee researcher Craig Schmugar. Meanwhile, experts are saying that there will not be any major security exploits against VoIP systems this year, due in part to the fact that the largest VoIP vendors are using proprietary controls, which are harder to obtain and study for possible security vulnerabilities. Other trends to watch out for this year, experts say, are the growing prevalence of 802.11n wireless technology and the increased reliance of Web 2.0 technologies among enterprises. http://www.networkworld.com/news/2008/010208-crystal-ball-main.html (Network World – 1/07/08) The Future of Information Security: 2008 and Beyond The information security agenda for executives is expected to continue to evolve in 2008. Perhaps the most important item on that agenda is data protection. The practice of protecting the confidentiality, integrity, and availability of data has not changed, but the type of data that is considered valuable has. Intellectual property and insider information were once the most sought-after data assets; now it is identity information such as email addresses, Social Security numbers, and credit card information. Meanwhile, developing a data protection strategy has become challenging because of executive demands for data availability, the loss of sensitive information through email, jump drives and mobile devices, and the trend toward outsourcing and offshoring. Although data protection may be the biggest challenge information security organizations have to deal with this year, achieving internal and external compliance goals will be the most measured part of their efforts to develop an information security strategy. http://www.cio.com/article/168352/The_Future_of_Information_Security_and_Beyond (CIO.com – 1/2/08) Malware 2.0 Meets Security 2.0 Malware is becoming more sophisticated and is attacking networks through a variety of media, including social networking sites, instant messaging programs, and Web applications. To combat attacks, networks must employ a combination of URL filtering, securing Web gateways to filter content as users visit unsecured sites, and reputation filtering. Administrators can use URL filtering to prevent employees from accessing pornographic or gambling sites, which often are rife with malware. As there are millions of sites on the Web, employers cannot realistically keep employees from viewing a page that may contain viruses or spyware. With this in mind, networks should secure Web portals to filter out any malicious or unknown code from Web traffic. Reputable Web sites infrequently carry malicious codes, and networks can also be set up to automatically categorize sites coming in and out of the network based on their credibility. This way, content on such sites as CNN would not be scanned or filtered, but access may be blocked to lesser-known sites. http://www.comnews.com/features/2007_december/1207_malware_meets.aspx (Communications News – 12/07) 19
  20. 20. SEMINARS ACI's 7th National Symposium on Privacy & Security of Consumer and Employee Information January 23-24, 2008 Philadelphia, PA. http://www.americanconference.com/privacy Computer Professionals for Social Responsibility: Technology in Wartime Conference January 26, 2008 Stanford University http://cpsr.org/news/compiler/2007/Compiler200707#twc IAPP Privacy Summit March 26-28, 2008 Washington, D.C. http://www.privacysummit.org/ Future of the Internet Economy - OECD Ministerial Meeting June 17-18, 2008 Seoul, Korea http://www.oecd.org/document/19/0,2340,en_2649_37441_38051667_1_1_1_37441,00.html Conference on Ethics, Technology and Identity. The Hague. June 18-20, 2008. http://www.ethicsandtechnology.eu/ETI _____________________________________________________________________ PAPERS 2008 Digital Future Report http://www.digitalcenter.org/pages/current_report.asp?intGlobalId=19 (USC - Annenberg School) Also see: • 2008 Digital Future Report Executive Summary http://www.digitalcenter.org/pdf/2008-Digital-Future-Report-Final-Release.pdf Enterprise@Risk: 2007 Privacy & Data Protection Survey http://www.deloitte.com/dtt/article/0%2C1002%2Ccid%25253D182733%2C00.html (Deloitte) 20

×