Group items tagged

Social media is on the rise, and so are the privacy and security risks. Is it time to dial back on the whole Web 2.0 'friend' thing? The social media honeymoon is officially over. While it may not yet be time to fly to Reno for a quickie divorce, you might want to start thinking about sleeping in separate bedrooms for a while. Example du jour: Over the weekend, a rogue application spread across Facebook, warning users about bogus errors in their profiles. Clicking on the "Error Check System" app causes it to send false warnings to your entire FB posse, per the unofficial AllFacebook blog. There doesn't seem to be any payload associated with that app besides driving traffic, but the potential for abuse is obvious. But a bigger problem on social nets is an old familiar one: spam. So far, spam only accounts for about 5 to 25 percent of all e-mail passed on social networks, versus 90 percent of regular e-mail, says Adam O'Donnell, director of emerging tech for Cloudmark, which filters spam for some large social nets (but won't identify which ones). As more people start tweeting about what their cats ate for lunch and share their Facebook profiles with near-total strangers, though, that number will only grow. The type of spam on social networks is different too, says O'Donnell. Think fewer fake Viagra come-ons, more social engineering scams. In other words, the junk you get on social networks is more likely to be aimed at stealing your credentials or your identity -- and thus much more dangerous than garden-variety spam.

Bruce Schneier is the chief security technology officer at BT and a celebrated writer and speaker on privacy, cryptography and security issues. Welcome to the future, where everything about you is saved. A future where your actions are recorded, your movements are tracked, and your conversations are no longer ephemeral. A future brought to you not by some 1984-like dystopia, but by the natural tendencies of computers to produce data. Data is the pollution of the information age. It's a natural byproduct of every computer-mediated interaction. It stays around forever, unless it's disposed of. It is valuable when reused, but it must be done carefully. Otherwise, its after effects are toxic. And just as 100 years ago people ignored pollution in our rush to build the Industrial Age, today we're ignoring data in our rush to build the Information Age. Increasingly, you leave a trail of digital footprints throughout your day. Once you walked into a bookstore and bought a book with cash. Now you visit Amazon, and all of your browsing and purchases are recorded. You used to buy a train ticket with coins; now your electronic fare card is tied to your bank account. Your store affinity cards give you discounts; merchants use the data on them to reveal detailed purchasing patterns.

The largest threat to online advertising is growing as the economy declines. More individuals will turn criminal, purchasing products or generating income through fraudulent means. Billions of dollars are stolen from businesses each year, and in 2009 companies will fight fraud with fewer resources.According to CyberSource, an estimated $4 billion dollars was lost to fraud in 2008 up from $3.7 billion in 2007, and 87% of merchants must fight fraud with the same or less staff in 2009. The increase in eCommerce fraud from 2007 to 2008 (and one can expect, in 2009) follows the advertisers' shift to spend more of their budget online. Much like crime statistics, one has to wonder how much fraud is not being reported because, among many reasons, commission-driven employees are not motivated or your company lacks resources.In early 2008, I was approached by our CEO to start a new division that would address our partners' fraud concerns-both real and perceived. He said, "I'm not going to lie to you. It's a SOB job." I was sold, and the Best Practices Division began.My team establishes best practices (measurable, repeatable events, processes, and procedures) and applies them internally and externally (to our partners' online marketing practices). At its core, best practices (BPs) are a set of standards that provide transparency and clear expectations of behavior and results to everyone involved in the business process. This accountability will drive the long-term performance of the online advertising industry while maintaining profitability without additional federal regulation.The BP approach can be applied to every business model and used to fight fraud-wherever you find it. Industry norm places the onus on the advertiser to successfully qualify inbound leads as well as identify fraudulent traffic. In the past, advertisers had only two options: become an online fraud expert, or hire a vendor.Only a small percentage of companies will be successful with the

Twitter Inc. has launched a comprehensive review of the defenses in its popular social network and microblogging service after hackers hijacked the accounts of several high-profile users on Monday. In interviews this week, analysts said they were surprised that sites such as Twitter, which are potentially hot targets for hackers and phishers, had long avoided such major attacks, and thus strong scrutiny by its corporate users. Since the widely publicized hack of Twitter, analysts said they are closely watching how the site and especially its corporate customers respond to the security breach.

The departments of Defense, State, and Health and Human Services have not met legal requirements meant to protect Americans' civil liberties, and a board that's supposed to enforce the mandates has been dormant since 2007, according to federal records. All three departments have failed to comply with a 2007 law directing them to appoint civil liberties protection officers and report regularly to Congress on the safeguards they use to make sure their programs don't undermine the public's rights and privacy, a USA TODAY review of congressional filings shows. An independent Privacy and Civil Liberties Oversight Board set up to monitor the departments hasn't met publicly since 2006; it no longer has members. Government missteps such as putting innocent people on terrorist watch lists and misusing administrative warrants, known as national security letters, "might have been dealt with much sooner if we had … cops on the beat to make sure there are standards that are being upheld," says Caroline Fredrickson, legislative director at the American Civil Liberties Union (ACLU). The lack of civil liberties officers at State and Health and Human Services is troubling because the departments hold passport and medical records, says James Dempsey, vice president of the Center for Democracy and Technology. "Security of that information is very important," he says, and these officers should monitor how it's used and shared. The Pentagon also has sparked concerns. Its Counterintelligence Field Activity office was criticized by the ACLU for wrongly tracking anti-war groups - a charge confirmed by the Pentagon in 2006. A 2007 law requires eight departments and agencies to have civil liberties officers and file reports. Justice, Homeland Security, Treasury, the CIA and the Office of the Director of National Intelligence have done so. Sens. Joe Lieberman, I-Conn., and Susan Collins, R-Maine, leaders of the Homeland Security committee, says departments not in compliance will b

A Port Washington medical practice was defrauded of nearly $250,000 by a former employee who for four years paid her credit card bills with automatic debits from a doctor's checking account, Nassau police said. Debra Camilo, 42, of 110 Malba Dr., Whitestone, began the transfers in the spring of 2004 and even though she was fired a year later -- for reasons unrelated to the fraud -- she continued until July 2008, police said. All told, the former office manager made more than 80 unauthorized debit transfers to her Visa credit card amounting to $241,341, police said. Crimes against property bureau detectives arrested Camilo Thursday afternoon in Manhasset and charged her with grand larceny, identity theft and fraud. She was scheduled for arraignment Friday in First District Court, Hempstead.

Until now, lawsuits seeking to recover significant damages based on the loss of, or unauthorized access to, sensitive personal information have not been especially successful for plaintiffs. Most companies suffering data breaches have escaped by offering affected consumers inexpensive credit monitoring services. But two recent cases show plaintiffs a way to expose many previously safe companies to substantial claims for damages. Any company that thinks there are no risks in employing less than best practices for data privacy and security needs a wake up call. The headlines are all too familiar. Some well known consumer services company (or less known wholesale data processor) announces that millions of individual records containing names, Social Security numbers, account numbers and other sensitive information were left in a dumpster, saved to a stolen, unencrypted laptop, or stored on a misplaced USB drive or backup tape. The press is terrible, the company's stock takes a temporary plunge, and sometimes the Federal Trade Commission enters into a consent decree where the company promises to never do it again. But when affected individuals or groups of consumers tried to sue for damages, they seldom recover significant amounts. These cases have not often succeeded because the plaintiffs have been unable to prove actual pecuniary losses resulting from the security breach. Sure, if identify theft occurs the affected individuals can suffer significant emotional trauma, loss of time, etc. But Courts have been unwilling to award damages for anxiety, fear, and other emotional harm that can result from a data breach, for the risk of future identify theft, or for actual identity theft when the plaintiff could not prove that the theft occurred as a direct result of a data breach at a particular source. Most companies facing claims based on data breaches have been able to settle cheaply by offering to provide credit monitoring services, which most consumers do not use, resu

Current government rules do too little to protect the privacy of people's personal health information and also hinder the use of health data in medical research, a panel of experts reported on Wednesday. A committee of the Institute of Medicine, which provides advice to U.S. policymakers, urged Congress to take an entirely new approach to protecting personal health data in research. Federal standards for protecting privacy of personal health data under the Health Insurance Portability and Accountability Act of 1996, or HIPAA, are not doing the job, the panel said. Congress and the Obama administration are planning major changes this year to the U.S. health care system. Regarding the privacy rules, Congress should either start from scratch or thoroughly overall HIPAA's privacy provisions, the panel said. Better data security is needed, with greater use of encryption and other security techniques, the panel said. Encryption should be required for laptops, flash drives and other devices containing such data, it said. "Both privacy and health research are important. And we feel that we can strengthen privacy protections for people who participate in research while also allowing important research to proceed without unnecessary impediments," Dr. Bernard Lo of the University of California San Francisco, a member of the panel, told reporters. HIPAA governs how personally identifiable health information can be used and disclosed by health plans, health care providers and others. The intention is to protect personal health information while permitting the flow of information for health-related research and medical care. Lo said HIPAA has burdensome and confusing procedures for people to consent to have their health data used in medical research, dissuading people from taking part in such research.

A group of U.S. companies, led by technology giants Microsoft, Hewlett-Packard and eBay, is set to outline recommendations for new federal data-privacy legislation that could make life easier for consumers and lead to a standard federal breach-notification law. The recommendations, which were developed by a group of industry players called the Consumer Privacy Legislative Forum, are set to be released at an upcoming privacy conference six weeks from now, according to Peter Cullen, Microsoft's chief privacy officer. The companies have been working for the past three years to encourage the adoption of federal consumer data-privacy laws and to answer the question of what federal legislation should look like, Cullen said in an interview. Other forum members include Google, Oracle, Procter & Gamble and Eli Lilly. One idea is that laws should make it easier for consumers to understand what they're getting into when they share their personal data with Web sites, Cullen said. "The whole focus on consent really puts an unfair burden on the consumer," he said. "My mom doesn't know what an IP address is." The recommendations will cover rules around data use and the ability of consumers to correct inaccurate data. And they will cover data breach notification, which is now covered by a patchwork of state laws. Simplifying breach-notification laws by creating a single federal standard is important, Cullen said Wednesday while speaking at a discussion of privacy policy in San Francisco. "It's not that there is no privacy law. There's actually too much privacy law," he said. "If you think about data-breach notification laws just as an example, there are 38 state laws, many of them very different." "We need to think about much more of a framework approach." Congress has passed some laws covering consumer data privacy, such as the 1996 Health Insurance Portability and Accountability Act (HIPAA), but existing laws do not comprehensively cover consumer privacy in general.

In October 2001, the Bush administration took an administrative action that would prove sadly symptomatic of its rule. John Ashcroft, then the attorney general, issued a memorandum warning against casual release of information to the public under the Freedom of Information Act. Such releases, Ashcroft said, should be made "only after full and deliberate consideration of the institutional, commercial and personal privacy interests that could be implicated." In case anyone missed the point, Ashcroft added that any bureaucrat who said no to such a request could "be assured that the Department of Justice will defend your decisions unless they lack a sound legal basis." It goes without saying that Ashcroft did not promise any such defense of government employees who released information under the terms of the act. If cavalier disregard of the law and the public's right to hold its government accountable were hallmarks of the recently departed administration, we can only hope that President Obama's response signals a new approach. One of his first presidential acts was to issue a memo to federal agencies on the Freedom of Information Act. It opens by quoting former Supreme Court Justice Louis Brandeis' pronouncement that sunlight is the "best of disinfectants" and continues by trumpeting the act as "the most prominent expression of a profound national commitment to ensuring an open government." Where Ashcroft searched for excuses to withhold information, Obama directed all agencies to "adopt a presumption" in favor of releasing it.

Exactly one week after the Heartland Payment Systems (HPY) breach was first announced to the public, the first lawsuit has been filed against the payments processor. The class action lawsuit filed Tuesday by Chimicles & Tilellis LLP of Haverford, PA in the U.S. District Court for the District of New Jersey on behalf of Woodbury, MN resident Alicia Cooper, asserts that Heartland "made unreasonably belated and inaccurate statements concerning the breach." The complaint says Heartland does not appear to be offering any credit monitoring services or other relief to consumers affected by the breach. Chimicles & Tilellis' complaint also says in addition to the questionable timing of the announcement of its breach, (Read Heartland Class Action suit PDF) "there are materially misleading statements and omissions in Heartland's public description of the breach and its consequences." Heartland announced the breach in a press release on the same morning of President Barack Obama's inauguration. The law firm says it is suing on behalf of consumers whose sensitive financial information was compromised in the data breach at Heartland. The complaint raises a claim pursuant to the New Jersey Consumer Fraud Act, and asserts causes of action for negligence, breach of implied contract, breach of contracts to which Plaintiffs and Class members were intended third party beneficiaries, breach of fiduciary duty, and negligence. The payments processor did not disclose how many credit card account numbers were compromised as a result of the breach. Heartland is the fifth largest payment processor in the country and handles 100 million transactions per month for more than 250,000 small retailers, gas stations, restaurants and other small and midsized companies. The suit also states that Heartland only became aware of the breach after it was notified of patterns of fraudulent credit card activity by VISA and MasterCard. "Analysts have stated that the fact that Heartland did not detect th

On Monday two women from Fort Pierce were arrested for committing 300 different cases of Identity theft on the Treasure Coast and South Florida. The two women go by the names of Tychell Letrein Robinson, 33 and Patrice V. Johnson, 26. According to the Federal Trade Commission, in 2007 Florida took fifth place in nation with regards to the number of ID theft victims per 100,000 residents. The FTC also estimated that about 9 million Americans have their identities stolen every year. The Fort Pierce Police Department, the Port St. Lucie Police Department, the Sheriff's Office as well as the U.S. Postal Service worked together in a two year investigation in order to track down these two criminals. Law enforcement agencies discovered that the arrested had somehow managed to steal the personal information of several victims and open new accounts in their names. Authorities believe that the women bought a lot of their identifying information from accomplices. In a news conference on Monday afternoon, Sheriff Ken Mascara mentioned that criminal circles were well aware that the arrested would pay accomplices $50 in exchange for peoples sensitive information. Authorities discovered that the two women met while they were both under the employment of Liberty Medical. Apparently Robinson headed the criminal operation and taught Johnson all she needed to know with regards to making thousands of dollars every week through identity theft. The arrested managed to target victims in Florida from Orlando to Clearwater and even Palm Beach. The majority of victims were from St. Lucie County and the Treasure Coast. Unfortunately it is still not clear to law enforcements exactly how the women obtained all the stolen information. police.jpg It was in the early hours of Monday morning that the police arrived at the homes of the arrested with search warrants. Two vehicles, six computers and ledgers filled with victims sensitive information were confiscated by authorities, and the women w

The software vendor's commissioned research will be revealed during a panel discussion with leaders from the California Office of Privacy Protection, Intel, and MySpace. Wednesday, Jan. 28, 2009, is Data Privacy Day, and to mark the occasion, Microsoft is participating in a panel discussion in San Francisco with privacy experts from the California Office of Privacy Protection, the Center for Democracy and Technology, Intel (NSDQ: INTC), and MySpace. Better this week than last, when Heartland Payment Systems and Monster.com disclosed major malware-driven data breaches that promise privacy headaches or worse for affected account holders. It is such incidents that worry Peter Cullen, Microsoft (NSDQ: MSFT)'s chief privacy strategist, because of the impact they can have on consumer trust. "Trust is becoming increasingly important," he said. That's why Data Privacy Day exists. Microsoft and other organizations recognize that without trust, the online economy only gets worse for everyone. Cullen explained that Data Privacy Day represents a global opportunity for organizations and individuals to come together to discuss how to better educate consumers about data privacy issues. One way to advance the discussion, Cullen said, was to commission some research, which Microsoft did in two cities, in California and Texas. "We wanted to understand how different segments of consumers, from teens to professionals to boomers, thought about privacy," he said. "There were some rather interesting results that came out of this." "Our hypothesis is that across these three segments, there would be different ways of thinking about these things," said Cullen. "We were really surprised to learn there's a large degree of similarity in the way people think about privacy."

It's funny. Was it just a month ago that we were enjoying the holiday respite, wondering what 2009 would have in store for us? Mind you, I didn't have any delusions. After the breaches, news events and regulatory issues of 2008, I didn't think we were going to turn the calendar page and emerge in a new world of a healthy economy and soaring consumer confidence. But neither did I think, four weeks later, we'd already have our first major security breach of the year - Heartland Payment Systems (HPY) and that it would so dominate our industry's attention. I get it, though, why we're so enamored of this case. It speaks to our biggest fears, first of all, that unknown electronic assailants can sneak into our systems and pry away our customers' names and critical information. Then there's the unknown enormity - we truly don't know how big this breach was. And, finally, it hits home. For you, the banking institution, you're the one left replacing your customers' cards and explaining why. For me, the banking customer ... well, mine is one of the banks doing the explaining. Needless to say, we're monitoring accounts closely. So, we were among the first to break the Heartland story when it first broke last Tuesday, and we've continued to follow it closely. After the initial media surge, where we saw news outlets and solutions providers tripping over one another to opine over what they think happened to Heartland and what it all means, here is what I believe we've learned so far from the case: 1) The Damage Goes Far Beyond the Breach. Heartland execs absolutely did the right thing by stepping forward last week and saying "We were breached," but the company has suffered for it ever since. The market responded to the news by gutting the company's value from over $14 per share last Tuesday to a low of just under $8 this week. Reputationally, you just can't measure the damage - Heartland is now synonymous with "breach," and that's a tough tag to shake. Unable to answer quest

The Electronic Privacy Information Center formally asked the Federal Trade Commission on Tuesday to investigate the privacy and security safeguards of Gmail, Google Docs and other so-called cloud computing services offered by Google to consumers. The filing points to a security breach earlier this month that may have improperly exposed the files of Google Docs users to others. It asks the F.T.C. to look into the adequacy of privacy and security safeguards of Google's services and to require Google to be accountable for breaches. It also asks the agency to force Google to make its security policies more transparent and to disclose any breaches. It also asks the F.T.C. to enjoin Google from offering cloud computing services until it establishes verifiable safeguards. The full filing is available here. Marc Rotenberg, EPIC's executive director, said he was concerned about all cloud computing services, which encourage users to store a growing number of documents on the servers of companies like Google, Yahoo, Microsoft and others. But he said that EPIC focused on Google because it is the primary provider of cloud computing services to consumers.

It's unclear whether a report being prepared for President Barack Obama on federal information security preparedness will support recent calls for the creation of a new cybersecurity office within the White House, two lawmakers said last week. Instead, the report may recommend a more collaborative and cooperative strategy among federal agencies on the issue of cybersecurity without a single agency or department in charge, they said. Members of the U.S. House Cybersecurity Caucus met with Melissa Hathaway, acting senior director for cyberspace for the National Security Council and Homeland Security Council. Hathaway, who is conducting a 60-day review of federal cybersecurity preparedness on behalf of the president, Thursday presented a status report to members of the caucus. Speaking with reporters after the briefing, Rep. James Langevin (D-R.I.), co-chair of the caucus, and Rep. Yvette Clarke (D-N.Y.), chairwoman of a subcommittee within the Committee on Homeland Security, said it was unclear yet what Hathaway might recommend. Rather than "include another structure" within the White House, there may be a call for an increase in staffing within the White House Office of Management and Budget (OMB) in a bid to improve its current role of overseeing government cyberaffairs, said Langevin. Chances are "there will not be one king," he said. Langevin co-chaired a commission at the Center for Strategic and International Studies, a bipartisan think tank, that has called for the creation of a centralized cybersecurity office in the White House to be named the National Office for Cyberspace. The new office could combine the National Cyber Security Center (NCSC) and the Joint Interagency Cyber Task Force, two existing agencies that are handing cybersecurity today. The U.S. Government Accountability Office (GAO) has also called for a new office dedicated to cybersecurity within the White House. Calls have been prompted by what is perceived as the inability of the U.S. De

Promoting Privacy And Free Speech Is Good Business This Guide will help you make smart, proactive decisions about privacy and free speech so you can protect your customers' rights while bolstering the bottom line. Failing to take privacy and free speech into proper account can easily lead to negative press, government investigations and fines, costly lawsuits, and loss of customers and business partners. By making privacy and free speech a priority when developing a new product or business plan, your company can save time and money while enhancing its reputation and building customer loyalty and trust.

Government Information Security Podcasts As a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info Probing Federal IT Security Programs: Gregory Wilshusen, GAO February 23, 2009 Government Accountability Office auditors will have a busy spring, examining a number of federal government programs aimed at securing government information systems and data. In an interview with GovInfoSecurity.com, Gregory Wilshusen discusses how the GAO is looking at how private industry and two dozen federal agencies employ metrics to measure the effectiveness of information security control activities. Other current GAO information security investigations he discusses include: Federal Desktop Core Configuration intended to standardize security features on personal computers purchased by the government. Trusted Internet Connection initiative aimed at slashing government Internet connections to fewer than 100 from more than 2,000. Einstein automated networking monitoring program run by U.S Computer Emergency Readiness Team. Gregory Wilshusen is director of information security issues at GAO, where he leads information security-related studies and audits of the federal government. He has more than 26 years of auditing, financial management and information systems experience. Before joining GAO in 1997, Wilshusen served as a senior systems analyst at the Department of Education as well as the controller for the North Carolina Department of Environment, Health and Natural Resources.

(March 31, 2009) First Data Corp. announced on Tuesday it will use technology from Inside Contactless, a French chipmaker, for its Go-Tag product, a sticker that can be affixed to mobile phones to make them work like contactless-payment devices. Under the three-year agreement, Inside Contactless will supply so-called prelams, or chip-and-antenna elements, that card manufacturers can use to manufacture the stickers for First Data. Up to now, Go-Tags have been proprietary devices for use in so-called closed-loop networks involving individual merchants, but with Inside Contactless's technology the product will likely be usable by mid-year on the payWave and PayPass contactless platforms operated by Visa Inc. and MasterCard Inc., pending certification on those systems, according to industry sources. A First Data spokesperson will not comment beyond Tuesday's announcement concerning the company's arrangement with Inside Contactless to provide prelams for Go-Tags. In addition, CPI Card Group, a card manufacturer based in Littleton, Colo., last fall said it expected to ship millions of contactless stickers based on prelams from Inside Contactless (Digital Transactions News, Oct. 15, 2008). CPI's customers are financial institutions interested in using the stickers to permit contactless transactions on payWave and PayPass. CPI is a manufacturer of Go-Tags, but will not comment on any plans for that product. First Data's deal with Inside Contactless follows by one day an announcement by Blaze Mobile Inc., an Alameda, Calif.-based provider of applications for mobile devices, that it is introducing a similar sticker that will work on the PayPass platform. The product works with the Blaze Mobile Wallet, a service the 4-year-old company launched a year ago when it was known as Mobile Candy Dish Inc. (Digital Transactions News, April 10, 2008). The stickers link to prepaid accounts managed by MetaBank, a Storm Lake, Iowa-based unit of Meta Financial Group Inc. Devel

A defunct payment gateway has exposed as many as 19,000 credit card numbers, including up to 60 Australian numbers. The discovery by a local IT industry worker was made by mistake and appears to be caused by a known issue with the Google search engine, in which the pages of defunct web sites containing sensitive directories remain cached and available to anyone. The cached data, viewed by iTnews, includes 22,000 credit card numbers, including CVVs, expiry dates, names and addresses. Up to 19,000 of these numbers could be active. Most are customers in the US and Britain although some are Australian. The credit card numbers are for accounts held with Visa, Mastercard, American Express, Solo, Switch, Delta and Maestro/Cirrus. Within the address bars of the cached pages are URLs of companies, including UK retailers of laboratory supplies, sports and health goods, apparel, photo imaging and clothing.