Group items tagged

Should responsibility for defending against cyberattacks be moved from the Dept. of Homeland Security to the military? Air Force Gen. Kevin Chilton suggested as much at a Congressional hearing where he warned of U.S. vulnerability to cyberwarfar "across the spectrum." Such attacks "potentially threaten not only our military networks, but also our critical national networks," Chilton told a House Armed Services subcommittee, the Washington Post reported. As head of Strategic Command, the general isn't responsibel for defending civilian networks, just government computers. [Stratcom's responsibility is] "to operate and defend the military networks only and be prepared to attack in cyberspace when directed. I think the broader question is, who should best do this for the other parts of America, where we worry about defending power grids, our financial institutions, our telecommunications, our transportation networks, the networks that support them." Well, that's where the 60-day interagency overview of cybersecurity comes in. At the end of that, Chilton said, responsibility for protecting private sector networks may well fit under Stratcom's duties. So what impact in having the military at the center of cybersecurity? Importantly, it brings offensive ops into the defense game. And where the military is involved, can NSA be far behind? No. Operational control over both [offensive and defensive ops], Chilton said, has been delegated to Lt. Gen. Keith B. Alexander, the head of the National Security Agency. … NSA, according to Chilton, already has a role in information security, and the agency's support "has been instrumental in our efforts to operate and particularly to defend our networks," he said. Combining oversight of cyber defense and offense made sense, Chilton said, "because they're so interconnected. . . . As you consider offensive operations, you want to make sure your defense are up."

In this new age of data protection, where most information is stored digitally and paper shredding is commonplace, you don't need to worry about private information ending up in the garbage, right? Steve Hunt shows that assumption is just plain wrong (includes video).

The following is an excerpt from the book The Truth About Identity Theft. In this section of Chapter 11: Social Engineering (.pdf), author Jim Stickley explains how easy it really is to hack a password. People often ask me how hard it is to hack a password. In reality, it is rare that I ever need to hack someone's password. Though there are numerous ways to gain passwords on a network and hundreds, if not thousands, of tools available to crack encrypted passwords, in the end I have found that it is far easier to simply ask for them. A perfect example of this type of attack was a medium-sized bank that I was testing recently. The bank's concern was related to the new virtual private network (VPN) capabilities it had rolled out to a number of its staff. The VPN allowed staff to connect directly to their secured network while at home or on the road. There is no doubt that a VPN can increase productivity, but there are some pretty major risks that can come with that convenience. The bank explained that the VPN was tied into its Active Directory server. For people who are not technical, basically this just means that when employees log in via the VPN, they use the same credentials they use to log on to their computer at the office. So I went back to my office, sat down, and picked up the phone. The first call I made was to find out the name of an employee in the IT department. I called the company's main line to the bank, pressed 0, and asked to speak with someone in the IT department. I was asked what I was calling about, so I told the employee I was receiving emails from that bank that seemed malicious. I could have used a number of excuses, but I have found that if you tie in an unhappy customer with a potential security issue, your call gets further up the food chain. In this case, I reached a man who I will call Bill Smith. I made up a story about the email, and after a few minutes, he was able to explain to me that I had called the wrong bank and it was actuall

The U.S. Supreme Court Monday accepted an appeal by several groups that brought a constitutional challenge to the Public Company Accounting Oversight Board created by 2002 changes in federal accounting laws. The free-enterprise groups and a Nevada accounting firm sued to stop the Securities and Exchange Commission from naming members of the accounting board, set up by Congress to oversee public-company accountants. "In creating the board, Congress deliberately sought to test the outer boundaries of its ability to reduce presidential power," the groups said in the appeal. The groups, in their lawsuit, claimed the U.S. Constitution required board members to be appointed by the president or the SEC chairman, rather than the entire commission for the securities agency. The Supreme Court's decision to hear the appeal breathes new life into the case, which didn't get much traction in lower courts. The U.S. Solicitor General's office, in court briefs, had urged the high court to reject the appeal, calling it a "poor vehicle" to resolve the constitutional issues raised by the challengers. "The president's control over the SEC is constitutionally sufficient and the act in turn grants the SEC complete and pervasive control over every aspect of the board's authority," Solicitor General Elena Kagan wrote. A U.S. federal judge dismissed the lawsuit in 2007 and the Washington-based U.S. Federal Circuit Court of Appeals also rejected the challenge in a 2-1 decision last year. The private, nonprofit board is charged with inspecting and disciplining public company accountants. The case is the Free Enterprise Fund vs. the Public Company Accounting Oversight Board, 08-861. Oral arguments will be held in the fall, and a decision is expected by July 2010.

Things to think about for auditors during a downturn

As IT environments are becoming more complex, enterprises are relying on them more than ever before, said Michael Juergens, principle at Deliotte & Touche, told attendees at an ISACA CACS audit and compliance conference. He identified 10 areas in which complexity makes IT more difficult to monitor. "This list is designed to get you thinking about your environments and if currently scheduled IT audit procedures will evaluate this risks," Juergens said. "The list is in no particular order, is by no means a comprehensive list, and will vary by environment. There may be a greater or lesser risk depending on your industry, technology, business processes, and other factors," he added. He said that auditors should make a careful risk assessment at any enterprise that uses external cloud computing solutions. A key risk for compliance is simply keeping track of the data and recovering it if part of the cloud goes down. IT administrators must have insight into the cloud to enable forensics if an investigation is required. Juergens added that virtualization, often a key component of private clouds, carries the same risks as public clouds. The key issue is finding and tracing data, which can move to different servers within a virtualized environment. During this economic downturn, many companies will face disgruntled employees and will need to be able to control their access. "Specific attention items should be: timely removal of access, periphery security, internal security architecture, physical security and badge location, help desk procedures, workstation security and IDS management," Juergens said. Layoffs can harm an organization even without disgruntled employees. Many help desks and incident response teams will be understaffed, and Juergens advised that now is a good time to re-examine security procedures. A related risk could occur if an employee takes on the responsibilities of another, combining tasks that were previously segregated for compliance purposes. En

When it comes to online privacy, we all appreciate the risk of publicizing juicy factoids such as incriminating photos or credit card numbers. But few of us realize a subtler threat: In abundance, innocuous, everyday data can divulge sensitive information as well. Some questions shouldn't be asked. Employers, for instance, generally are not allowed to discriminate based on marital status, sexual orientation and so on. But our growing digital footprint is threatening our ability to dodge inappropriate inquiries. Through data mining, employers, insurers, advertisers and others can infer the answers to private questions without even asking. They need two things: a heap of personal data, and the techniques to crunch it. Both are readily available. People generate and share more information than ever before. Besides consciously generated Web content such as blogs, Facebook profiles and YouTube videos, a steady stream of data is exchanged in the background. Companies track our searches, browsing and shopping behavior. Personal electronic devices can silently disclose our location while we post status updates and photos to the Web. All this seems innocent enough - and the more others do it, the safer we all feel. After all, what's one more Twitter update among millions?

With identity theft on the upswing, Aram Langhans thought he was simply being prudent when he asked the Yakima Heart Center to remove his Social Security number from its files. "They had my insurance card and my driver's license. What else did they need?" said Langhans, a retired public school teacher insured by Group Health. Langhans said he was initially hooked up to a portable heart monitor that he was to wear for 24 hours, but the disagreement over his Social Security number prompted upper-level personnel to change their minds. He said moments after the device was attached, he was sent to a restroom to remove it and turned away. Shawnie Haas, administrator of the Heart Center, an independent outpatient group practice, declined to discuss the incident. But she said in an e-mail statement that the practice protects patients' privacy. "The Yakima Heart Center is careful to collect data pertinent to ensuring accuracy of our patient's medical record. Routine information collected for all patients includes name, address, date of birth, Social Security number, gender, and other specific information that helps us verify that individual's identity and insurance enrollment or coverage data. We are careful to maintain confidentiality of all patient information in our system." According to state and federal regulators, private insurance companies have moved away from using Social Security numbers for patient identification. But health-care providers in the Yakima Valley say they routinely collect them as "backup" in the event that patients' insurance doesn't pay the claim.

Concerned that Google knows too much about you? The company provides many ways to protect your privacy online -- you just need to find them. Here are six good ones. 1. Know your privacy rights: Use the Google Privacy Center. This site includes all of Google's privacy policies, as well as privacy best practices for each of its products and services. Although the "legalese" of privacy policies can be difficult to understand, Google's Privacy Channel offers a library of short YouTube videos with practical tips on protecting your data when using Google products and services. Try the "Google Search Privacy" and "Google Privacy Tips" series. 2. Protect your content on the services you use. Some content that Google stores for you, such as photos uploaded in Picasa Web Albums, are public by default. You can protect your privacy when you upload photos by choosing the appropriate checkbox. Choices include "unlisted" (accessible only if you have the Web link, and not indexed by Web search engines) or private (viewable only by named users who must sign in). Another example: You can take a Google Chat "off the record" if you don't want the instant messaging transcript stored. In contrast, Google Latitude, which tracks your whereabouts by way of GPS-enabled cell phones, does not share your location data by default. You must authorize others to see it. Latitude stores your last known location, but not your history. 3. Turn off the suggestion feature in the Chrome browser. By default, Chrome retains a history of Web sites you've visited -- and the full text of those pages -- so it can try to guess which Web address you want as you type in the "Omnibox." You can turn the feature off by going to "Under the Hood" under Options and unchecking the "Use a suggestion service" box. You can also select other privacy options, including surfing in Chrome's "incognito" mode. 4. Turn off Web History. You may have turned on the Web History option, also called Personalized Search, when yo

We've all heard the argument before: "Why should you worry about the government looking into your personal records if you have nothing to hide?" Daniel J. Solove, an associate professor of law at The George Washington University Law School, analyzes that argument in a recently published paper titled "I've Got Nothing to Hide and Other Misunderstandings of Privacy." Solove argues that "the question assumes faulty assumptions about privacy and its value." Those who make the "nothing to hide" argument fail to understand the chilling effect that surveillance has on public discourse, the fact that small bits of private data (which an individual may not object to being uncovered) when put together form a larger and more intimate profile (which an individual may object to), and the mistake of having one's profile mistakenly associated with a group that is labeled as threatening. Here's an excerpt from the paper, which was published in the latest issue of the San Diego Law Review: [T]he problem with the "nothing to hide" argument is that it focuses on just one or two particular kinds of privacy problems - the disclosure of personal information or surveillance - and not others. It assumes a particular view about what privacy entails, and it sets the terms for debate in a manner that is often unproductive. It is important to distinguish here between two ways of justifying a program such as the NSA surveillance and data mining program. First is to not recognize a problem. This is how the "nothing to hide" argument works. It denies even the existence of a problem. The second manner of justifying such a program is to acknowledge the problems but contend that the benefits of the NSA program outweigh the privacy harms. The first justification influences the second, for the low value given to privacy is based upon a narrow view of the problem. The key misunderstanding is that the "nothing to hide" argument views privacy in a particular way - as a

The state's highest court told Bergen County yesterday to release 8 million pages of real estate documents -- including mortgage information -- to fulfill a request filed under the state's public records law, but that Social Security numbers included in them must be kept private. The justices also said the company requesting the information should pay the $460,000 it will cost the county to remove the Social Security numbers from records spanning more than two decades. The court unanimously agreed that the documents, requested by a business that wants to sell electronic access to this information, are public records under the state's Open Public Records Act. But it stressed some of the personal information, if released, would hurt residents. "The request was made on behalf of a commercial business planning to catalogue and sell the information by way of an easy-to-search computerized database. Were that to occur, an untold number of citizens would face an increased risk of identity theft," Chief Justice Stuart Rabner wrote for the court. Bergen County officials called the decision a victory for all New Jersey residents concerned about identity theft.

Maintaining privacy is on many people's minds these days, but sometimes that's the last thing they do. Allegations last week that two British tabloids, The Sun and The News of the World, had employed high-technology snoops to listen in on the mobile phone messages of public figures highlighted fears of what can happen when digital data fall into dubious hands. The reports came only days after another privacy debacle, this one self-inflicted. Photos and family information about Sir John Sawers, soon to be Britain's chief spy, appeared in another newspaper, The Mail on Sunday, after his wife posted them on Facebook. While attitudes toward privacy can appear paradoxical, the seeming contradiction is really about something else: control. When people bare their bodies on Facebook or their souls in the digital confessional of Google's search engine, they feel as if they are in charge. Not so, when the private embarrassments come to light unexpectedly.

Following complaints from Republicans, the White House has shut down a two-week-old e-mail tip line launched to take reports from citizens of "disinformation about health insurance reform." "An ironic development is that the launch of an online program meant to provide facts about health insurance reform has itself become the target of fear-mongering and online rumors that are the tactics of choice for the defenders of the status quo," wrote White House new media director Macon Phillips in announcing the change. "The White House takes online privacy very seriously," he added. The e-mail tip line, flag@whitehouse.gov, was launched Aug. 4 as part of the White House's Health Insurance Reform Reality Check effort, a campaign-style rapid-response effort reminiscent of the war room Obama for America launched in the summer of 2008 to fight online rumors about the then-senator's patriotism and religion. But coming from the head of state, rather than a political candidate, the new effort quickly sparked concern among Republicans about the propriety of government collecting information on private citizens' political speech.

On September 12, 2009, Maine's Act to Prevent Predatory Marketing Practices Against Minors (the "Act") will take effect. The Act prohibits businesses from knowingly collecting or receiving a minor's health-related information or personal information for marketing purposes without first obtaining verifiable parental consent. Businesses are also prohibited from using any health-related information or personal information regarding a minor for the purpose of marketing a product or service to the minor. Pursuant to the Act, the use of information in such a manner is a predatory marketing practice, which may be sanctioned as an unfair trade practice. The law also allows individuals subject to unlawful data collection or predatory marketing practices to bring a private right of action against violators. For businesses, the implications of Maine's new data collection and marketing restrictions are far-reaching. The scope of the law covers both online and off-line marketing activities, and the broad definition of personal information includes a minor's name in combination with any information concerning the minor. In light of the Act's restrictive requirements and considerable scope, businesses would be well-advised to evaluate their current marketing practices and age verification mechanisms. The text of the law is available here.

The Air Force is seeking an entrepreneurial innovator to develop technology to analyze the conduct of insiders to determine if they pose a threat to government IT systems. In a call for proposals aimed at small businesses, posted on Tuesday, the Air Force is asking outside developers to "define, develop and demonstrate innovative approaches for determining 'good' (approved) versus 'bad' (disallowed/subversive) activities, including insiders and/or malware." For their initial efforts, the Air Force will pay up to $100,000. The proposal says current techniques that monitor illicit activities only address the most blatant violations of policy or the grossest deviations from accepted behavior. Most systems concentrate their resources on repelling attacks at the network borders with little attention devoted to threats that evade detection and/or emanate from within. The proposal states: "As such, there currently exists a great need across the federal, military and private sectors for a viable and robust means to provide near-real-time detection, correlation and attribution of network attacks, by content or pattern, without use of reactive previously-seen signatures. Many times, these trusted entities have detailed knowledge about the currently-installed host and network security systems, and can easily plan their activities to subvert these systems."

The Federal Trade Commission today approved a final consent order settling claims that CVS Caremark violated customers' privacy and the Health Information Portability and Accountability Act (HIPAA) when it failed to dispose of records properly last year. Earlier this year, CVS Caremark agreed to settle FTC charges that it failed to take reasonable and appropriate security measures to protect the sensitive financial and medical information of its customers and employees, in violation of federal law. In a separate but related agreement, the company's pharmacy chain also has agreed to pay $2.25 million to resolve Department of Health and Human Services allegations that it violated HIPAA regulations. "This is a case that will restore appropriate privacy protections to tens of millions of people across the country," said FTC chairman William Kovacic following the settlement. "It also sends a strong message to other organizations that possess consumers' protected personal information. They are required to secure consumers' private information." Under the final consent order, CVS Caremark is required to rebuild its security and confidentiality program, which will be audited every two years for the next 20 years. The HHS settlement requires the company to develop a new training program to instruct employees on how to handle patient data.

Senate Judiciary Chairman Patrick Leahy (D-Vt.) has reintroduced a data breach bill that would set tougher rules for government agencies and private sector firms regarding consumers' personal information. This will be the third time around the block for the Personal Data Privacy and Security Act, which has cleared the Judiciary Committee, but never come to a vote on the Senate floor. The bill would preempt the more than 40 state laws laying out requirements for notifying consumers in the event of a data breach, a long-deferred legislative goal that has the general support of the IT industry. But Leahy's bill is about more than just data breaches. Among other things, it would set baseline security information standards for government agencies, something that the Obama administration has begun to work on with the early steps of an overhaul of the government's cybersecurity apparatus. "This is a comprehensive bill that not only deals with the need to provide Americans with notice when they have been victims of a data breach, but that also deals with the underlying problem of lax security and lack of accountability to help prevent data breaches from occurring in the first place," Leahy said in a statement. "Passing this comprehensive data privacy legislation is one of my highest legislative priorities as Chairman of the Judiciary Committee."

A law designed to keep college students' grades private often is used for a much different purpose -- to shield universities from potentially embarrassing situations. Some critics say a number of schools are deliberately misreading the Family Educational Rights and Privacy Act in order to keep scandals and other unflattering news from hitting the media. "Some schools have good-faith misunderstandings of the law, but there are others that simply see this as a handy excuse to hide behind," says Frank LoMonte, executive director of the Student Press Law Center, which provides student journalists with legal help. Legal experts say part of the problem is that the law is loosely defined. In addition, the potential consequences of violating the law -- namely, that schools would lose their federal funding -- prompt university officials to be conservative in their decisions about releasing information. Those complaints rankle advocates of student privacy, who say that, if anything, the three-decade-old law should be expanded. "Most of these kids are adults, and they should be able to make their own decisions," says Daren Bakst, president of the Council on Law in Higher Education. Congress already reworked the law to clarify when universities can disclose student information, especially involving health and safety matters. Those changes, adopted in January, followed the 2007 shooting rampage at Virginia Tech by a mentally troubled student.

Naturally, privacy watchdogs answer the question in this post title with a resounding "Yes!" The answer is so emphatic, in fact, that the Center for Digital Democracy and U.S. Public Interest Research Group are filing a 52-page complaint with the FTC today alleging that mobile marketers collect so much "non personally identifiable information" that it infringes on users' privacy-and are "unfair and deceptive." Mobile devices, which know our location and other intimate details of our lives, are being turned into portable behavioral tracking and targeting tools that consumers unwittingly take with them wherever they go. (Shh! Don't tell them the FBI can remotely turn on the microphone of several cell phone brands and convert your phone into a roving bug, even when it's off!) But is the Internet private-and should it be? Is a profile that states that you are interested in outdoor rec and currently in the Santa Clara, CA, area an invasion of your privacy? And if so, should we ban all outdoor rec stores and centers in Santa Clara from collecting personally identifiable information like, say, a picture of you when you walk in their lobby? Should we prohibit all employees from asking your name and if you slip and mention it, make sure they never call you by it?

Visit the Amazon.com site to buy a book online and your welcome page will include recommendations for other books you might enjoy, including the latest from your favorite authors, all based on your history of purchases. Most customers appreciate these suggestions, much the way they would recommendations by a local librarian. But, what if you visited an investment site, only to find advertising messages suggesting therapies for your recently diagnosed heart condition? Chances are that you would experience what Fran Maier calls the "creepiness" factor, a sense that someone has been snooping into a part of your life that should remain private. Maier is the Executive Director of TrustE, a nonprofit that sets guidelines for online privacy and awards a seal of approval to companies meeting those guidelines. She was a speaker at the recent Supernova conference, an annual technology event in San Francisco organized by Wharton legal studies and business ethics professor Kevin Werbach in collaboration with Wharton. Creepiness Factor The creepiness factor is a risk inherent in so-called behavioral targeting. This practice is based on marketers anonymously observing a user's behavior on the Internet and compiling a personal profile based on interests and behavior -- sites visited, searches conducted, articles read, even emails written and received. Based on their profiles, users receive advertising targeted specifically to them, regardless of where they travel on the web. Consumer advocates worry that online data collection and tracking is going too far. Marketing executives counter that consumers benefit from seeing advertising relevant to their interests and contend that relinquishing some personal data is a reasonable trade-off for free access to Internet content, much of it supported by advertising.

Online crime is increasingly hitting small and mid-size companies in the U.S., draining those entities' bank accounts through fraudulent transfers. The problem has gotten so bad that a financial services group recently sent out a warning about the trend, and the Federal Deposit Insurance Corporation (FDIC) issued an alert today. "In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses," says a bulletin sent on Aug. 21 to member financial institutions by the Financial Services Information Sharing and Analysis Center, (FS-ISAC). The FS-ISAC is part of the government-private industry umbrella working with the Department of Homeland Security and Treasury Department to share information about critical threats to the country's infrastructure. The member-only alert described the problem and told its members to implement many of the precautions and monitoring currently used to detect consumer bank and credit card fraud.