Group items tagged

Richard Acton-Maher of San Francisco was in nearby Berkeley last month and wanted to meet friends for lunch. Instead of making calls to see who was around, he looked at a digital map on his iPhone that plotted their locations. "One of my friends was also there," said Acton-Maher, 24, who used a service from a startup company called Loopt Inc. "I gave him a call and met him for lunch. It just enhances the communications tools that I already have." Google Inc., encouraged by people's willingness to share their personal lives on sites like Facebook, is betting more people like Acton-Maher will post their whereabouts online. The owner of the most popular search engine started a program this month called Latitude, seeking to compete with mobile networking services such as Loopt, Match2Blue, Whrrl and Limbo. Besides competition, Google's effort to turn mobile phones into tracking devices faces criticism from privacy advocates. Useful for friends and family, location data would also be valuable to the government, said Kevin Bankston, an attorney with the San Francisco-based Electronic Frontier Foundation, a not-for-profit organization focused on civil-liberties. "This is certainly valuable information to investigators and potentially to civil litigants," Bankston said. "This type of location information presents a very new sensitive data flow." Google says its privacy settings address such concerns. People using Google's mobile maps can opt not to use Latitude and choose whom they share their information with. The program also only stores the user's last known location, not a full history of their travels, said Steve Lee, a Google product manager. 'Ephemeral Data' While Google doesn't plan to store the data, the government could still go to court to ask for the company's help in tracking someone during an investigation, Bankston said.

Social media is on the rise, and so are the privacy and security risks. Is it time to dial back on the whole Web 2.0 'friend' thing? The social media honeymoon is officially over. While it may not yet be time to fly to Reno for a quickie divorce, you might want to start thinking about sleeping in separate bedrooms for a while. Example du jour: Over the weekend, a rogue application spread across Facebook, warning users about bogus errors in their profiles. Clicking on the "Error Check System" app causes it to send false warnings to your entire FB posse, per the unofficial AllFacebook blog. There doesn't seem to be any payload associated with that app besides driving traffic, but the potential for abuse is obvious. But a bigger problem on social nets is an old familiar one: spam. So far, spam only accounts for about 5 to 25 percent of all e-mail passed on social networks, versus 90 percent of regular e-mail, says Adam O'Donnell, director of emerging tech for Cloudmark, which filters spam for some large social nets (but won't identify which ones). As more people start tweeting about what their cats ate for lunch and share their Facebook profiles with near-total strangers, though, that number will only grow. The type of spam on social networks is different too, says O'Donnell. Think fewer fake Viagra come-ons, more social engineering scams. In other words, the junk you get on social networks is more likely to be aimed at stealing your credentials or your identity -- and thus much more dangerous than garden-variety spam.

The key points of the plan closely mirror recommendations offered late last year by a bipartisan commission of computer security experts, which urged then president-elect Obama to set up a high-level post to tackle cyber security, consider new regulations to combat cyber crime and shore up the security of the nation's most sensitive computer networks. The strategy, as outlined in a broader policy document on homeland security priorities posted on the Whitehouse.gov Web site Wednesday, states the following goals: * Strengthen Federal Leadership on Cyber Security: Declare the cyber infrastructure a strategic asset and establish the position of national cyber advisor who will report directly to the president and will be responsible for coordinating federal agency efforts and development of national cyber policy. * Initiate a Safe Computing R&D Effort and Harden our Nation's Cyber Infrastructure: Support an initiative to develop next-generation secure computers and networking for national security applications. Work with industry and academia to develop and deploy a new generation of secure hardware and software for our critical cyber infrastructure. * Protect the IT Infrastructure That Keeps America's Economy Safe: Work with the private sector to establish tough new standards for cyber security and physical resilience. * Prevent Corporate Cyber-Espionage: Work with industry to develop the systems necessary to protect our nation's trade secrets and our research and development. Innovations in software, engineering, pharmaceuticals and other fields are being stolen online from U.S. businesses at an alarming rate. * Develop a Cyber Crime Strategy to Minimize the Opportunities for Criminal Profit: Shut down the mechanisms used to transmit criminal profits by shutting down untraceable Internet payment schemes. Initiate a grant and training program to provide federal, state, and local law enforcement agencies the tools they need to detect and prosecute cyber crime. *

If practice makes perfect, it's no wonder commercial pilot Chesley B. (Sully) Sullenberger III was able to save the day last week, guiding a malfunctioning jetliner over New York City and landing it safely in the Hudson River. It turns out Sullenberger was well trained for the job and had been studying crisis management. The Associated Press' Amy Westfeldt says Sullenberger, 57, of Danville, California, is a former fighter pilot who runs a safety consulting firm in addition to flying commercial aircraft. Westfeldt says Sullenberger is president of Safety Reliability Methods, a California firm that uses "the ultra-safe world of commercial aviation" as a basis for safety consulting in other fields. "When a plane is getting ready to crash with a lot of people who trust you, it is a test," Civil engineer Robert Bea told Westfeldt. "Sully proved the end of the road for that test. He had studied it, he had rehearsed it, he had taken it to his heart." The pilot "did a masterful job of landing the plane in the river and then making sure that everybody got out," Mayor Michael Bloomberg told AP. "He walked the plane twice after everybody else was off, and tried to verify that there was nobody else on board, and he assures us there was not. He was the last one up the aisle and he made sure that there was nobody behind him."

A former Fannie Mae IT contractor has been indicted for planting a virus that would have nuked the mortgage agency's computers, caused millions of dollars in damages and even shut down operations. How'd this happen? The contractor was terminated, but his server privileges were not. Rajendrasinh Makwana was indicted on Tuesday in the U.S. District Court for Maryland (press report, complaint and indictment PDFs). From early 2006 to Oct. 24, Makwana was a contractor for Fannie Mae. According to the indictment, Makwana allegedly targeted Fannie Mae's network after he was terminated. The goal was to "cause damage to Fannie Mae's computer network by entering malicious code that was intended to execute on January 31, 2009." And given Fannie Mae-along with Freddie Mac-was nationalized in an effort to stabilize the mortgate market Makwana could caused a good bit of havoc. Makwana worked at Fannie Mae's data center in Urbana, MD as a Unix engineer as a contractor with a firm called OmniTech. He had root access to all Fannie Mae servers. The tale of Makwana malware bomb plot is a warning shot to all security teams and IT departments. Given the level of layoffs we've seen lately the ranks of disgruntled former employees is likely to grow. Is there any company NOT lopping off a big chunk of its workforce? And some of these workers may even have Makwana's access privileges and knowledge of the corporate network.

This tip is part of Mitigating Web 2.0 threats, a lesson in SearchSecurity.com's Data Protection Security School. Visit the lesson page or our Security School Course Catalog for additional learning resources. Social networking, a term relatively new to the computing vernacular, has already become part of the cultural norm for a great proportion of Internet users. Even more recently, the use of online communities to establish and build connections among those with shared interests has become part of the corporate world as well. As professional social networks such as LinkedIn and Blue Chip Expert continue to grow, and professional groups gain in popularity on once-personal sites like Facebook and MySpace, enterprise security and risk management professionals must face the reality that these sites are emerging conduits for the unauthorized disclosure of confidential corperate information. Add the use of public social networking tools to the list of concerns, and the effectiveness of the traditional corporate security perimeter is further diminished. However, a robust set of policy, process and architecture aids in mitigating the risks of being social. Broadly, social networking is described as software that lets people interact, rendezvous, connect, play or collaborate by use of a computer network. This definition covers the popular social networking sites, including those mentioned above, as well as blogs, wikis, RSS, podcasts, tags, and more recently, search engines. While there are numerous benefits to social network solutions, including reducing costs and increasing collaboration, we'll focus on addressing the risks.

During the past decade, rapid developments in information and communications technology have transformed key social, commercial, and political realities. Within that same time period, working at something less than Internet speed, much of the academic and policy debate arising from these new and emerging technologies has been fragmented. There have been few examples of interdisciplinary dialogue about the importance and impact of anonymity and privacy in a networked society. Lessons from the Identity Trail: Anonymity, Privacy and Identity in a Networked Society fills that gap, and examines key questions about anonymity, privacy, and identity in an environment that increasingly automates the collection of personal information and relies upon surveillance to promote private and public sector goals. This book has been informed by the results of a multi-million dollar research project that has brought together a distinguished array of philosophers, ethicists, feminists, cognitive scientists, lawyers, cryptographers, engineers, policy analysts, government policy makers, and privacy experts. Working collaboratively over a four-year period and participating in an iterative process designed to maximize the potential for interdisciplinary discussion and feedback through a series of workshops and peer review, the authors have integrated crucial public policy themes with the most recent research outcomes. The book is available for download under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Canada License by chapter below. Hard copies are available for purchase at Amazon & at Oxford University Press.

There are plenty of rumors out in the cyberworld about the future of Twitter, a popular social networking site, and whether the company will be acquired or partner with another company. Some believe one of the suitors is Google Inc. Rumor has it, the two companies are considering collaborating on a Google real time search engine. To make it work, Google could pay cash, stock or a combination of both. Google wouldn't comment on these rumors. Nevertheless, it's an intriguing idea for a company created three years ago that has, to date, not made any money. Analysts think this would be a good marriage, according to MarketWatch. Gartner Inc. analyst Jeff Mann, for one, told the website it's a pretty good idea. "The culture and ambitions of Twitter and Google match." Not only that, there are lots of indications of growth. Twitter's content is now growing by 6 million tweets per day, and that's a win-win situation for Google, for sure.

Government Information Security Podcasts As a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info Insights on the Insider Threat: Randy Trzeciak of Carnegie Mellon's CERT February 25, 2009 We all know the risk of the insider threat is high, but what are the specific vulnerabilities for which organizations should be particularly vigilant? In an exclusive interview, Randy Trzeciak of Carnegie Mellon's CERT program discusses recent insider threat research, including: Patterns and trends of insider crimes; Motives and means displayed in real insider cases; What employers and staffs can do to prevent and detect crimes. Trzeciak is currently a Senior Member of the Technical Staff for the Threat and Incident Management Team in the CERT Program at Carnegie Mellon University's Software Engineering Institute. He is a member of a team in CERT focusing on insider threat research, including insider threat studies being conducted with the US Secret Service National Threat Assessment Center, DOD's Personnel Security Research Center (PERSEREC), and Carnegie Mellon's CyLab.

A defunct payment gateway has exposed as many as 19,000 credit card numbers, including up to 60 Australian numbers. The discovery by a local IT industry worker was made by mistake and appears to be caused by a known issue with the Google search engine, in which the pages of defunct web sites containing sensitive directories remain cached and available to anyone. The cached data, viewed by iTnews, includes 22,000 credit card numbers, including CVVs, expiry dates, names and addresses. Up to 19,000 of these numbers could be active. Most are customers in the US and Britain although some are Australian. The credit card numbers are for accounts held with Visa, Mastercard, American Express, Solo, Switch, Delta and Maestro/Cirrus. Within the address bars of the cached pages are URLs of companies, including UK retailers of laboratory supplies, sports and health goods, apparel, photo imaging and clothing.

Why Google isn't ready to be an Enterprise vendor

At the Google (NSDQ: GOOG) I/O developer conference this week, Google Inc. will host more than 80 technical sessions on all of the Google apps and platforms we've come to know -- Android, Chrome, App Engine, Web Toolkit, AJAX and others. When reviewing the Google I/O Schedule this morning, I was disappointed by what could not be easily found. The conference will run this week, May 28 to 29, in San Francisco, and Google is expecting more than 2,000 attendees. Unfortunately, a long perusal of the schedule shows plenty of tracks with Search, Scale, and Performance in the title -- but only one track with Security. What about Privacy? Well, there's no tracks highlighting data privacy, either. There is a session that covers federated identity management, Practical Standards-based Security and Identity in the Enterprise. And it looks promising, but federated authentication and authorization is more about making sure applications and people can interact securely, not that an application, itself, is inherently secure.

Concerned that Google knows too much about you? The company provides many ways to protect your privacy online -- you just need to find them. Here are six good ones. 1. Know your privacy rights: Use the Google Privacy Center. This site includes all of Google's privacy policies, as well as privacy best practices for each of its products and services. Although the "legalese" of privacy policies can be difficult to understand, Google's Privacy Channel offers a library of short YouTube videos with practical tips on protecting your data when using Google products and services. Try the "Google Search Privacy" and "Google Privacy Tips" series. 2. Protect your content on the services you use. Some content that Google stores for you, such as photos uploaded in Picasa Web Albums, are public by default. You can protect your privacy when you upload photos by choosing the appropriate checkbox. Choices include "unlisted" (accessible only if you have the Web link, and not indexed by Web search engines) or private (viewable only by named users who must sign in). Another example: You can take a Google Chat "off the record" if you don't want the instant messaging transcript stored. In contrast, Google Latitude, which tracks your whereabouts by way of GPS-enabled cell phones, does not share your location data by default. You must authorize others to see it. Latitude stores your last known location, but not your history. 3. Turn off the suggestion feature in the Chrome browser. By default, Chrome retains a history of Web sites you've visited -- and the full text of those pages -- so it can try to guess which Web address you want as you type in the "Omnibox." You can turn the feature off by going to "Under the Hood" under Options and unchecking the "Use a suggestion service" box. You can also select other privacy options, including surfing in Chrome's "incognito" mode. 4. Turn off Web History. You may have turned on the Web History option, also called Personalized Search, when yo

When the director of IT at a Boston-based, midsize pharmaceutical firm was first approached to participate in a data leakage audit, he was thrilled. He figured the audit would uncover a few weak spots in the company's data leak defenses and he would then be able to leverage the audit results into funding for additional security resources. "Data leakage is an area that doesn't get a lot of focus until something bad happens. Your biggest hope is that when you raise concerns about data vulnerability, someone will see the value in allowing you to move forward to protect it," the IT director says. But he got way more than he bargained for. The 15-day audit identified 11,000 potential leaks, and revealed gaping holes in the IT team's security practices. (Read a related story on the most common violations encountered.) The audit, conducted by Networks Unlimited in Hudson, Mass., examined outbound e-mail, FTP and Web communications. The targets were leaks of general financial information, corporate plans and strategies, employee and other personal identifiable information, intellectual property and proprietary processes. Networks Unlimited placed one tap between the corporate LAN and the firewall and a second tap between the external e-mail gateway and the firewall. Networks Unlimited used WebSense software on two servers to monitor unencrypted traffic. Then it analyzed the traffic with respect to company policy. Specifically, Networks Unlimited looked for violations of the pharmaceutical firm's internal confidentiality policy, corporate information security policy, Massachusetts Privacy Laws (which go into effect in 2010), Health Insurance Portability and Accountability Act (HIPAA), and Security and Exchange Commission and Sarbanes-Oxley regulations. Auditor Jason Spinosa, senior engineer at Networks Unlimited, says that while he selected the criteria for this audit, he usually recommends that companies take time to determine their policy settings based on their risk

Maintaining privacy is on many people's minds these days, but sometimes that's the last thing they do. Allegations last week that two British tabloids, The Sun and The News of the World, had employed high-technology snoops to listen in on the mobile phone messages of public figures highlighted fears of what can happen when digital data fall into dubious hands. The reports came only days after another privacy debacle, this one self-inflicted. Photos and family information about Sir John Sawers, soon to be Britain's chief spy, appeared in another newspaper, The Mail on Sunday, after his wife posted them on Facebook. While attitudes toward privacy can appear paradoxical, the seeming contradiction is really about something else: control. When people bare their bodies on Facebook or their souls in the digital confessional of Google's search engine, they feel as if they are in charge. Not so, when the private embarrassments come to light unexpectedly.

The next wave of hacking into computers and stealing data will not be requests or code coming from remote points across the Web, security experts are warning. Instead, the most sophisticated Trojan Horses appearing on Wall Street financial systems may be threaded into the silicon of integrated circuits by design, their malicious instructions baked right into the tiny physical aspects and intricate mapping of the chip itself, according to scientists and academics working with the National Institute of Standards and Technology, the White House and the Financial Services Information Sharing and Analysis Center in Dulles, Va. Detecting such malware after a chip is fabricated will be extremely difficult, if not impossible, these experts say, because the microchips that run servers have millions to billions of transistors in them. Adding a few hundred or even just tens of transistors can compromise an integrated circuit can serve attackers' purposes and escape notice. "You can never really test every single combination on the chip. Testing a billion transistors would take a very long time. It would be very difficult to detect hardware Trojans without having some idea of what you're looking for to begin with," said Scott C. Smith, associate professor of electrical engineering at the University of Arkansas, co-author of a 2007 paper which described a "Hardware Threat Modeling Concept for Trustable Integrated Circuits." Tweaking chips themselves will make them prone to manipulate data, shut down a critical function, or turn a system into a bugged phone that steals and relays vital information, the experts say.

With mounting concerns over online privacy and information gathering by search engines, Google has come up with a solution, Opt-out village, a 22-acre remote mountain enclave for those obsessed with privacy. According to trusted news network, ONN, access to the new privacy feature is simple. Just click the opt-out button on the Google home page. Within minutes, a van will arrive to sweep you away to Opt-Out Village nestled in the Pacific NorthWest. A team of privacy experts will eliminate your personal identifiers and guarantee that your name and address will not appear on Google local searches.

Hunch.com helps users search for answers -- but first, it performs a detailed search on the users themselves. Launching today after a year in development, Hunch aims to supply users with computer-generated advice on thousands of lifestyle and consumer questions: What kind of dog should I buy? What should I get dad for Father's Day? Which book by George Orwell would I like? Most important, though, Hunch is not a search engine. Rather than scouring the open Web for information, as Google, Microsoft's new Bing and scores of others do, or collating written opinions, as Amazon.com does, Hunch computes answers by comparing what it knows about you to what it knows about people like you. "Ultimately, what we're doing is providing a kind of shortcut through human expert systems," said Hunch founder Caterina Fake, who also started Flickr.com, the popular photo-sharing site that was acquired by Yahoo in 2005. By first inviting users to answer as many as 1,500 questions about themselves -- an addictive kind of personality test that involves such diverse questions as political orientation, relationship status and whether you believe in UFOs and keep your closet organized -- Hunch looks to assemble a demographic profile whose depth could rival anything in the commercial universe. The New York company also believes that users stand to benefit from this kind of large-scale data farming -- not just from getting better answers, but also from discovering the many microdemographics to which they belong. Hunch also says it will not sell user data to marketers. But this promise, written into the site's privacy policy, is not precisely a legal contract, said Siva Vaidhyanathan, a new-media scholar at the University of Virginia, and the difference leaves the data it collects in a fuzzy domain.

If you think the biggest threat to your sensitive information lies in network security, think again. Once a criminal is inside a building, there are limitless possibilities to what that person can access or damage. Take a look at your building's security. How easy is it to get inside?

Good awareness video to make employees & employers think about physical security ramifications

In a little more than three years, Twitter has become "the SMS of the Internet" for millions of people. Many find it a useful and productive form of communication, but recent attacks against the service and its users have highlighted the potential dangers of Twitter and other social networking sites. Enterprises have had to tackle not only the productivity and privacy issues associated with Twitter, but also a number of direct security threats. Unfortunately, the success of microblogging sites like Twitter relies on the same elements of human nature as social engineering attacks, particularly a natural desire and willingness to share and engage with those we trust. Most people have learned not to open attachments or links in emails from people they don't know. Yet because Twitter is seen as a friendly, group-based service, many will not hesitate to click on a shortened Twitter link, having no clue as to where it will take them.

"A key, centrist digital rights group is set to put out a report calling for strong federal privacy laws and guidelines to regulate the growing tracking and targeting of Americans online. It argues that the self-regulation approach that industry fights for just hasn't worked. The online ad industry has "historically failed to fully implement its self-regulatory principles," according to the 34-page draft report by the Center for Democracy and Technology. CDT is a centrist D.C. group that works with and is substantially funded by the tech industry, including companies like Facebook, Google and AOL that are deeply invested in targeted ads. "Recently revised self-regulatory principles still fall short (.pdf) even as written," charges the draft, obtained by Wired.com. These tough words spearhead a new tactic for a group more used to convening inside-the-Beltway tech policy forums than launching ACLU-style send-outraged-e-mail campaigns. The CDT, which splintered off from the rabble-rousing Electronic Frontier Foundation 15 years ago, is also planning to launch a "Take Back Your Privacy" campaign on Thursday, designed to garner support for its call for comprehensive federal privacy legislation. Dozens of tech firms, known and obscure, record users' behaviors as they interact with search engines, blogs, e-commerce sites and even government websites. The tracking goes on in the background with little knowledge by consumers and even less oversight from government authorities. The tech industry - like others subject to potentially blunt-forced government regulation - has argued that policing itself was enough to prevent egregious privacy intrusions that could proliferate without any real chance individuals would even be aware of them."