Group items tagged

THE Government is looking to develop a way to protect individuals' personal data that can 'best address' three issues. These are privacy concerns, commercial requirements and national interest. An inter-ministry committee is already reviewing the issue, said Minister for Information, Communications and the Arts Lee Boon Yang. 'As data protection is a complex issue, with extensive impact on all stakeholders, this review will take some time,' he said. He said this in a written reply to a question posed by Ms Lee Bee Wah of Ang Mo Kio GRC in Parliament on Monday. She had asked if his ministry will consider a comprehensive privacy law, and wanted to know what laws there are to protect people from spam mail and the unauthorised sale of personal information. Also, what about those whose photographs have been posted on blogs and other new media platforms without their authorisation, she had asked. This would be considered a 'civil matter', said Dr Lee. 'The aggrieved persons could first ask the site's webmaster to remove the pictures,' he said. 'As with matters relating to online libel and personal defamation, they could also seek professional legal advice to determine the most appropriate legal recourse.' As for the protection of personal data, the minister said that although no generic data protection law exists, such data is still protected. He listed the various measures that are already in place. For instance, there are 'strict provisions' in sectoral laws such as the Banking Act, and codes for medical professionals to protect sensitive financial and health information, he said. There are also other industry codes of practices against the unauthorised use of personal information, he added. For example. the Telecom Competition Code requires licensees to take 'reasonable measures' to prevent the unauthorised use of consumers' information. In addition, there is a voluntary privacy code, which has been adopted by many companies in the private sector, said Dr

The owner of a website onto which a purportedly stolen Goldman Sachs Group Inc computer code was downloaded has declined to say whether or not other people accessed the code while it was on the site. Roopinder Singh, who runs file storage website xp-dev.com, told Reuters in London on Friday that computer files show whether or not the valuable code -- which U.S. prosecutors have charged former Goldman employee Sergey Aleynikov with stealing -- was viewed by others, but he declined to say what they show due to the scale of the case. According to Singh, accounts at xp-dev.com initially have a privacy setting that only lets the user see them. However, users can change that setting to allow other people to view files. "Private is the default," he said. "You then have the option ... You can explicitly either share it (or keep it private)." He declined to say what the settings on Aleynikov's account were.

DURING the Parliament session on Monday, MP of Ang Mo Kio GRC Ms Lee Bee Wah, asked the Minister of Information, Communications and Arts, Dr Lee Boon Yang, whether a comprehensive privacy law will be introduced to protect the privacy of individuals and their personal data. She also queried about the existing laws which are in place to protect people from spam mails and unauthorised sale of personal information, as well as protecting people whose photographs are posted on blogs and other new media platforms. Dr Lee's reply was: "The Government recognises the importance of data protection and the need to protect personal data. At the same time, we also appreciate the impact of data protection on businesses and the general public. I had previously informed the House that an Inter-Ministry Committee is reviewing Singapore's data protection regime. This review is on-going. We are currently looking into developing a data protection model that can best address Singapore's privacy concerns, commercial requirements and national interest. As data protection is a complex issue with extensive impact on all stakeholders, this review will take some time." With regards to unauthorised Use of personal data, he replied: "While there is currently no generic data protection law, it does not mean that there is no protection of personal data. In fact we have in place strict provisions in sectoral laws, such as the Banking Act and codes for medical professionals to protect sensitive financial and health information. There are also other industry codes of practices against the unauthorised use of personal information. For example, in the telecommunications sector, under the Telecom Competition Code, IDA requires licensees to take reasonable measures to prevent the unauthorised use of End User Service Information. A telecom licensee would be in breach of the Code if it shares with third parties its customers' information that was obtained from the use of its service, without the cust

"A federal law designed to prevent employers and health insurers from discriminating against an individual based on their genetic predisposition to disease took effect late last month, signaling a new era where intermingling genetic advances and privacy concerns create new challenges in health care. But left out of the federal Genetic Information Nondiscrimination Act, commonly known as GINA, were privacy protections for individuals seeking long-term care, disability and life insurance coverage. Each of those areas was left up to the individual states. At least 10 states regulate the use of genetic information in long-term care insurance. But in California, privacy protections were left to expire by lawmakers in January 2008. Mark Billingsley, spokesman for state insurance commissioner Steve Poizner, said in an e-mail that there "appears to be a giant loophole" in California's insurance code regarding long-term care insurance and genetic privacy protections. He said he couldn't identify a single provision in the state code that would preclude a private insurer from requesting such a test for underwriting purposes. "

Just days after President Obama signed a law giving billions of dollars to develop electronic health records, a university technology professor submitted a paper showing that he was able to uncover tens of thousands of medical files containing names, addresses and Social Security numbers for patients seeking treatment for conditions ranging from AIDS to mental health problems. Using peer-to-peer applications, which computer users download to share files, most commonly music and movies, M. Eric Johnson, director of the Center for Digital Strategies at Dartmouth College in Hanover, N.H., was able to access electronic medical records on computers that had the peer-to-peer programs stored on their hard drives. The medical files contained detailed personal data on physical and mental diagnoses, which a hacker could use to not only embarrass a patient but also to commit medical fraud. One of the largest stashes of medical data Johnson discovered during two weeks of research he conducted in January was a database containing two spreadsheets from a hospital he declined to identify. The files contained records on 20,000 patients, which included names, Social Security numbers, insurance carriers and codes for diagnoses. The codes identified by name four patients infected with AIDS, the mental illnesses that 201 others were diagnosed as having and cancer findings for 326 patients. Data also included links to four major hospitals and 355 insurance carriers that provided health coverage to 4,029 employers and 266 doctors.

A former Goldman Sachs computer programer accused of stealing secret trading codes from the investment bank was being held in federal custody on Monday, pending the posting of $750,000 bail. Sergey Aleynikov, 39, was ordered by U.S. Magistrate Kevin Nathaniel Fox in Manhattan on Saturday to post a $750,000 personal recognizance bond to be secured by three financially responsible people, according to court documents. The bond also was to include $75,000 in cash, and Aleynikov was ordered to surrender his passport and not to access the computer data at issue in the case. A preliminary hearing in his case was scheduled for August 3. Aleynikov, a Russian immigrant living in New Jersey, was arrested on Friday night by FBI agents as he got off a flight at Newark Liberty International Airport, according to court documents. He is accused of "theft of trade secrets" related to computer codes used for sophisticated automated stock and commodities trading at an unspecified, New York-based financial institution, according to the court affidavit filed by FBI special agent Michael McSwain. Sources familiar with the situation have told Reuters columnist Matthew Goldstein that the financial institution is Goldman Sachs. A Goldman representative declined to comment on Monday. A lawyer for Aleynikov, Sabrina Shroff, also declined to comment.

Network Solutions Hack Compromises 573,000 Credit, Debit Accounts Hackers have broken into Web servers owned by domain registrar and hosting provider Network Solutions, planting rogue code that resulted in the compromise of more than 573,000 debit and credit card accounts over the past three months, Security Fix has learned. Herndon, Va. based Network Solutions discovered in early June that attackers had hacked into Web servers the company uses to provide e-commerce services - a package that includes everything from Web hosting to payment processing -- to at least 4,343 customers, mostly mom-and-pop online stores. The malicious code left behind by the attackers allowed them to intercept personal and financial information for customers who purchased from those stores, Network Solutions spokeswoman Susan Wade said.

"As the federal government readies the third iteration of Einstein, privacy concerns over the intrusion detection system were voiced at a Senate hearing on Tuesday. Philip Reitinger, Department of Homeland Security deputy undersecretary for the National Protection and Programs Directorate, told the Senate Committee on the Judiciary's Subcommittee on Terrorism and Homeland Security that DHS envisions deploying Einstein 3 as an intrusion prevention system. Einstein 1 monitors network flow and Einstein 2 detects system intrusions. "This more robust version of Einstein would provide the federal government with an improved early warning and an enhanced situational awareness; the ability to automatically detect malicious activity; and the capability to prevent malicious intrusions before harm is done," Reitinger said. But Gregory Nojeim, senior counsel and director of Project Freedom, Security and Technology at the Center for Democracy and Technology, cited press accounts that Einstein 3 would rely on pre-defined signatures of malicious code that might contain personally identified information, and threaten the privacy of law-abiding citizens. "While Einstein 2 merely detected and reported malicious code, Einstein 3 is to have the capability of intercepting threatening Internet traffic before it reaches a government system, raising additional concerns," Nojeim testified. Einstein 3 reportedly could operate within the networks of private telecommunications companies, and Nojeim wondered if the technology could analyze private-to-private communications. "If Einstein were to analyze private-to-private communications, that would likely be an interception under the electronic surveillance laws, requiring a court order," he said. "

"A German computer scientist has published details of the secret code used to protect the conversations of more than 4bn mobile phone users. Karsten Nohl, working with other experts, has spent the past five months cracking the algorithm used to encrypt calls using GSM technology. GSM is the most popular standard for mobile networks around the world. The work could allow anyone - including criminals - to eavesdrop on private phone conversations. Mr Nohl told the Chaos Communication Congress in Berlin that the work showed that GSM security was "inadequate". "

As your day ticks by, it seems that everything you do can leave a data trail. From your purchases online to the resumes you post, to health care transactions made with your insurance cards, you probably are exposing your own personal data to possible snooping, fraud, or identify theft. "Having so much sensitive information available makes it even more difficult for other organizations to release information that is effectively anonymous," says Latanya Sweeney, associate professor of computer science, technology and policy, and director of Carnegie Mellon's Data Privacy Lab. Sweeney demonstrated that birth date, gender and 5-digit ZIP code is enough to identify 87 percent of people in the U.S. One year ago, Sweeney started to pull together a group of faculty who were looking at issues relating to privacy and security, and working toward possible solutions. In the Internet age, few areas of our private lives-and what U.S. Supreme Court Justice Louis Brandeis called "the right to be left alone"- remain untouched by technology. Lorrie Cranor, associate research professor in the School of Computer Science, and director of Carnegie Mellon's Usable Privacy and Security Laboratory, describes Carnegie Mellon as "the place to be for privacy research." She explains, "There's a concentration of researchers and experts here that you just don't find at any other university." So how do these Carnegie Mellon experts suggest you protect yourself when you find the information technology that drives your everyday life to be more sophisticated than you are? Here is a sample of some of their creative solutions-your wake-up call for keeping your data "self" both private and secure.

"Scott Fortnum had put in almost a full day of work at his Markham, Ont., office when he decided to "check in" on Foursquare, a location-based social network where users log the names and co-ordinates of the places they visit with a time stamp. The 44-year-old's check-in was marked with a small coral balloon on an embedded Google Map and instantly viewable by the 12 friends he lists on Foursquare - and millions of others. His check-in found its way onto pleaserobme.com, a recently launched website with a mischievous mandate: "listing all those empty homes out there." With March break approaching, many impending vacationers are installing automatic timers on their lights and putting their newspaper subscriptions on hold to deter burglars. Many are also posting on Twitter about when they're leaving and touting their week-long getaway to Jamaica on Facebook - unwittingly letting the online world know exactly when they're away. Mr. Fortnum's check-in appeared this way on Please Rob Me: @sfortnum left home and checked in 30 minutes ago: I'm at ALS Canada (3000 Steeles Ave. E. #200, DVP & Steeles, Toronto.) http://4sq.com/4MmX51 Many Foursquare users such as Mr. Fortnum cross-post their check-ins to Twitter, where they are easy to find through the search function. With some simple coding, Please Rob Me's creators are able to collect those millions of public tweets on their site in real time, highlighting one of the many security concerns that springs from broadcasting one's whereabouts online. Frank Groeneveld, one of the three students from the Netherlands who designed Please Rob Me, says he co-created the site to give members of social networks a wake-up call."

Finally a site that might make someone a profit!

"Important personal information, such as social security numbers, names and zip codes, of many Notre Dame employees was exposed to the Internet after the University accidentally placed the information in a publicly accessible location. The data breach affected about 24,000 employees, including some students who work for the University, Gordon Wishon, associate vice president of information technology and the University's chief information officer, said. The personal information that was exposed will no longer be accessible because the University immediately removed it from the Internet and secured it, he said. "

"If there was anything even vaguely comforting about the data breaches that were announced this year, it was that many of them stemmed from familiar and downright mundane security failures. Companies continued to be felled more by usual issues such as lost laptops, unpatched or poorly coded software, inadvertent disclosures and rogue insiders, rather than by sneaky new attack techniques or devastating new hacker tools. Here's a look back at five of the more notable breaches of the year:"

More preventable security failures predicted for 2010. Way to show value!

"If there was anything even vaguely comforting about the data breaches that were announced this year, it was that many of them stemmed from familiar and downright mundane security failures. Companies continued to be felled more by usual issues such as lost laptops, un-patched or poorly coded software, inadvertent disclosures and rogue insiders, rather than by sneaky new attack techniques or devastating new hacker tools. "

Preventable data loss damages customer trust and corporate trust.

"Whether a patient comes in for a gall-bladder operation or to have a baby, the routine remains the same for staff at Sharp HealthCare hospitals in San Diego. The front desk checks insurance records to make sure the bills get paid on time. Nurses take vitals and tag their charges with a bar-coded wristband. And behind the scenes, fund-raisers scan the assets of each patient -- to find out whether they're "megarich," "wealthy" or merely "comfortable.""

Is that a microscope following me around? Must get more tin foil to keep them from seeing my thoughts.

"Iconix Brand Group, Inc. will pay a $250,000 civil penalty to settle Federal Trade Commission charges that it violated the Children's Online Privacy Protection Act (COPPA) and the FTC's COPPA Rule by knowingly collecting, using, or disclosing personal information from children online without first obtaining their parents' permission. Iconix owns, licenses, and markets - both offline and online - several popular apparel brands that appeal to children and teens, including Mudd, Candie's, Bongo, and OP. Iconix required consumers on many of its brand-specific Web sites to provide personal information, such as full name, e-mail address, zip code, and in some cases mailing address, gender, and phone number - as well as date of birth - in order to receive brand updates, enter sweepstakes contests, and participate in interactive brand-awareness campaigns and other Web site features. Since 2006, Iconix knowingly collected and stored personal information from approximately 1,000 children without first notifying their parents or obtaining parental consent, according to the FTC's complaint. On one Web site, MyMuddWorld.com, Iconix also enabled girls to publicly share personal stories and photos online, according to the complaint. "Companies must provide parents with the opportunity to say 'no thanks' to the collection and disclosure of their children's personal information," said FTC Chairman Jon Leibowitz. "Children's privacy is paramount, and Iconix really missed the boat by denying parents control over their kids' information online.""

"Mozilla's flagship Firefox browser is vulnerable to at least 11 "critical" vulnerabilities that expose users to drive-by download attacks that require no user interaction beyond normal browsing. The open-source group shipped Firefox 3.5.4 with patches for the vulnerabilities, which range from code execution risk to the theft of information in the browser's form history."

A new malware variant called Silon is targeting Internet Explorer users, attempting to intercept their sessions and steal credentials. "Researchers at security vendor Trusteer Inc. issued an advisory warning that the Silon Trojan can detect when a user initiates a Web login session in Internet Explorer. It intercepts the login session, encrypts the data and sends it to a command-and-control server where it is collected with credentials from other victims. In a more sophisticated attack, the Trojan targets people logging into their online bank accounts. New York, N.Y.-based Trusteer said Silon can inject sophisticated dynamic HTML code into the login flow between the user and their bank's Web server. The method involves using a webpage displaying a phony message asking the victim to verify their login details. If the victim complies with the request, the login credentials are sent to the command-and-control server, said Amit Klein, chief technology officer of Trusteer. "

"As many as 68,000 members of CalOptima, the Medicaid plan for Orange County, California, may be at risk of identity theft and fraud after several CDs containing their personal information disappeared while in transit, the agency reported. "CalOptima's claims scanning vendor sent the electronic media devices to CalOptima through the U.S. Postal service by certified mail," the agency said. "On Tuesday, October 13, 2009, CalOptima discovered the apparent loss of the devices when the external packaging materials were delivered by the U.S. Postal Service without the box containing the devices." The missing discs include patient information such as names, addresses, Social Security numbers, diagnoses, and billing codes. CalOptima said it notified state and federal agencies of the breach on October 14, and posted an alert on its Web site on October 15."

When ethical hackers track down computer criminals, do they risk prosecution themselves? Security researchers at this week's Usenix conference in Boston believe this is a danger, and that ethical hackers have to develop a uniform code of ethics for themselves before the federal government decides to take action on its own. One such researcher introduced himself by saying "Hi, I'm Dave Dittrich, and I'm a computer criminal." Dittrich, senior security engineer and researcher at the University of Washington's Information School, has not been unlucky enough to be prosecuted. But ten years ago, he took actions to disrupt distributed denial-of-service attacks which he says could have been construed as criminal, he says. Working within the University of Washington Network, Dittrich says he "copied files from one host in Canada that was caching malicious software and logs of compromised hosts," allowing him to gain a fuller understanding of the nascent distributed denial-of-service tools, and to inform the operators of infected Web sites that a problem existed.