Group items matching

in title, tags, annotations or url

A former Goldman Sachs computer programer accused of stealing secret trading codes from the investment bank was being held in federal custody on Monday, pending the posting of $750,000 bail. Sergey Aleynikov, 39, was ordered by U.S. Magistrate Kevin Nathaniel Fox in Manhattan on Saturday to post a $750,000 personal recognizance bond to be secured by three financially responsible people, according to court documents. The bond also was to include $75,000 in cash, and Aleynikov was ordered to surrender his passport and not to access the computer data at issue in the case. A preliminary hearing in his case was scheduled for August 3. Aleynikov, a Russian immigrant living in New Jersey, was arrested on Friday night by FBI agents as he got off a flight at Newark Liberty International Airport, according to court documents. He is accused of "theft of trade secrets" related to computer codes used for sophisticated automated stock and commodities trading at an unspecified, New York-based financial institution, according to the court affidavit filed by FBI special agent Michael McSwain. Sources familiar with the situation have told Reuters columnist Matthew Goldstein that the financial institution is Goldman Sachs. A Goldman representative declined to comment on Monday. A lawyer for Aleynikov, Sabrina Shroff, also declined to comment.

A group of computer scientists at the University of Washington has developed a way to make electronic messages "self destruct" after a certain period of time, like messages in sand lost to the surf. The researchers said they think the new software, called Vanish, which requires encrypting messages, will be needed more and more as personal and business information is stored not on personal computers, but on centralized machines, or servers. In the term of the moment this is called cloud computing, and the cloud consists of the data - including e-mail and Web-based documents and calendars - stored on numerous servers.

Incident demonstrates that even agencies that put in security controls are still vulnerable The Federal Aviation Administration was doing such a good job at protecting data in its computer systems that the Office of Management and Budget chose it in January to be one of four agencies to guide other federal agencies in their cybersecurity efforts. Just a month later, FAA officials had to admit that hackers breached one of the agency's servers, stealing 48 files. Two of the files contained information on 45,000 current and former FAA employees, including sensitive information that could potentially make them vulnerable to identity theft. The security breach, although significant and potentially far reaching, is not necessarily a reflection on FAA's security measures. Rather, it demonstrates the problems of securing federal computer systems and difficulty in evading every potential attack. "Every agency is living through the same problems," but most are being less forthcoming about reporting them, said Alan Paller, director of the SANS institute. "FAA should get kudos for rapid action. Slamming them shows a complete lack of understanding about the state of security in federal agencies."

Consumers save their e-mail and documents on Google's data centers, put their photos on Flickr and store their social lives on Facebook. Now a host of companies including Amazon and Microsoft wants government agencies to similarly house data on their servers as a way to cut costs and boost efficiency. But federal officials say it's one thing to file away e-mailed jokes from friends, and another to store government data on public servers that could be vulnerable to security breaches. The push toward "cloud computing," so named because data and software is housed in remote data centers rather than on-site servers, is the latest consumer technology to migrate to the ranks of government. Companies such as Amazon and Salesforce, which do not typically sell services to the government, want a piece of the business. Google opened a Reston office last year to sell applications such as Google Docs to federal employees. Silicon Valley-based Salesforce, which has focused on selling to corporations, established a team dedicated to government contracting. Microsoft spent $2.3 billion in 2007 to build data centers for cloud computing, and IBM, Sun Microsystems and HP want to provide the government cloud.

"Two L.A. traffic engineers who pleaded guilty to hacking into the city's signal system and slowing traffic at key intersections as part of a labor protest have been sentenced to two years' probation. Authorities said that Gabriel Murillo, 40, and Kartik Patel, 37, hacked into the system in 2006 despite the city's efforts to block access during a labor action. Fearful that the strikers could wreak havoc, the city temporarily blocked all engineers from access to the computer that controls traffic signals. But authorities said Patel and Murillo found a way in and picked their targets with care -- intersections they knew would cause significant backups because they were close to freeways and major destinations. The engineers programmed the signals so that red lights for several days starting Aug. 21, 2006 would be extremely long on the most congested approaches to the intersections, causing gridlock. Cars backed up at Los Angeles International Airport, at a key intersection in Studio City, at access onto the clogged Glendale Freeway and throughout the streets of Little Tokyo and the L.A. Civic Center area, sources told The Times at the time. No accidents occurred as a result. As part of their plea deal, the engineers agreed to pay $6,250 in restitution and completed 240 hours of community service."

With increasing dependency on information systems and advances in cloud computing, the smart grid and mobile computing, maintaining the confidentiality and integrity of citizens' personally identifiable information is a growing challenge. A new draft document from the National Institute of Standards and Technology (NIST) addresses that challenge by adding privacy controls to the catalog of security controls used to protect federal information and information systems.

When ethical hackers track down computer criminals, do they risk prosecution themselves? Security researchers at this week's Usenix conference in Boston believe this is a danger, and that ethical hackers have to develop a uniform code of ethics for themselves before the federal government decides to take action on its own. One such researcher introduced himself by saying "Hi, I'm Dave Dittrich, and I'm a computer criminal." Dittrich, senior security engineer and researcher at the University of Washington's Information School, has not been unlucky enough to be prosecuted. But ten years ago, he took actions to disrupt distributed denial-of-service attacks which he says could have been construed as criminal, he says. Working within the University of Washington Network, Dittrich says he "copied files from one host in Canada that was caching malicious software and logs of compromised hosts," allowing him to gain a fuller understanding of the nascent distributed denial-of-service tools, and to inform the operators of infected Web sites that a problem existed.

The Oklahoma Department of Human Services (DHS) is notifying more than one million state residents that their personal data was stored on an unencrypted laptop that was stolen from an agency employee. The computer file contained the names, Social Security numbers, birth dates and home addresses of Oklahoma's Human Services' clients receiving benefits from programs such as Medicaid, child care assistance, nutrition aid and disability benefits, the agency announced Thursday. The computer, which was stolen when a thief broke into the car April 3 after the employee stopped on her way home from work, was password protected, and officials do not believe the burglar realized what he or she was stealing. Therefore, the risk of the data being accessed is minimal, according to the agency. "We feel this was not a situation where someone was targeting the agency or that information," DHS spokeswoman Mary Leaver told SCMagazineUS.com on Friday. "We feel it was random." Leaver said the state Office of Inspector General is conducting an investigation, out of which likely will come a mandatory review of information security policies. However, it is not believed the employee violated existing policy when the incident occurred, she said. News of the theft comes one day after the Ponemon Institute, in conjunction with Intel, released a study that found the average value of a lost laptop is $49,246. About 80 percent of the cost is related to the chance that a breach could occur, the study showed.

By now, many employees are uncomfortably aware that their every keystroke at work, from email on office computers to text messages on company phones, can be monitored legally by their employers. What employees typically don't expect is for the company to spy on them while on password-protected sites using nonwork computers. But even that privacy could be in jeopardy. A case brewing in federal court in New Jersey pits bosses against two employees who were complaining about their workplace on an invite-only discussion group on MySpace.com, a social-networking site owned by News Corp., publisher of The Wall Street Journal. The case tests whether a supervisor who managed to log into the forum -- and then fired employees who badmouthed supervisors and customers there -- had the right to do so. The case has some legal and privacy experts concerned that companies are intruding into areas that their employees had considered off limits. "The question is whether employees have a right to privacy in their non-work-created communications with each other. And I would think the answer is that they do," said Floyd Abrams, a First Amendment expert and partner at Cahill Gordon & Reindel LLP in New York. The legal landscape is murky. For the most part, employers don't need a reason to fire nonunion workers. But state laws in California, New York and Connecticut protect employees who engage in lawful, off-duty activities from being fired or disciplined, according to a report prepared by attorneys at the firm Proskauer Rose LLP. While private conversations might be covered under those laws, none of the statutes specifically addresses social networking or blogging. Thus, privacy advocates expect to see more of these legal challenges. In February, three police officers in Harrison, N.Y., were suspended after they allegedly made lewd remarks about the town mayor on a Facebook account. The officers mistakenly thought the remarks were protected with a password, but city officials view

IT and business both understand the need to protect regulated customer and business data -- so long as they're in business, analysts say. Here's a look at how some folding businesses are falling short protecting data and the possible liabilities for the IT group and CIO. From HIPPA to Sarbox, a slew of regulations to protect customer and employee data force CIOs to step lively to comply. The punishment for failure to do so is costly and even dire. But once a company folds-and more are folding every week given the economy-what happens to that data? Who in the business and IT could be hit by the splatter if it all hits the fan? "Certain companies have been disposing of records containing sensitive consumer information in very questionable ways, including by leaving in bags at the curb, tossing it in public dumpsters, leaving it in vacant properties and/or leaving it behind in the offices and other facilities once they've gone out of business and left those offices," says Jacqueline Klosek, a senior counsel in Goodwin Procter's Business Law Department and a member of its Intellectual Property Group. "In addition, company computers, often containing personal data, will find their ways to the auction block," she adds. "All too often, the discarded documents and computer files will sensitive data, such as credit card numbers, social security numbers and driver's licenses numbers. This is the just the kind of data that can be used to commit identity theft." Discarded and unguarded data is now low-hanging fruit for criminal harvesters and corporate spies. "Recent client activity supports that competitors are beginning to buy up such auction devices specifically with the intention of trying to salvage the data," says James DeLuccia, author of IT Compliance & Controls. "Hard drives are being removed and sold online, or whole servers are sold via Craigslist and Ebay." In some cases, the courts insist data be sold during a bankruptcy. "Company servers, once I restore

One of the more interesting panel discussions at the IDC Cloud Computing Forum on Feb 18th in San Francisco was about managing the complexities of security, privacy and compliance in the Cloud. The simple answer according to panelists Carolyn Lawson, CIO of California Public Utilities Commission, and Michael Mucha, CISO of Stanford Hospital and Clinics is "it ain't easy!" "Both of us, in government and in health, are on the front-lines," Lawson proclaimed. "Article 1 of the California Constitution guarantees an individual's right to privacy and if I violate that I've violated a public trust. That's a level of responsibility that most computer security people don't have to face. If I violate that trust I can end up in jail or hauled before the legislature," she said. "Of course, these days with the turmoil in the legislature, she joked, "the former may be preferable to the later." Stanford's Mucha said that his security infrastructure was built on a two-tiered approach using identity management and enterprise access control. Mucha said that the movement to computerize heath records nationwide was moving along in fits and starts, as shown by proposed systems likeMicrosoft (NSDQ: MSFT)'s Health Vault and Google (NSDQ: GOOG)'s Personal Health Record. "The key problem is who is going to pay for the computerized of health records. It's not as much of a problem at Stanford as it is at a lot of smaller hospitals, but it's still a huge problem." Mucha said that from his perspective security service providers in the cloud and elsewhere are dealing with a shrinking security parameter or fence, which is progressing from filing cabinets, to devices, to files, and finally to the individual, who under the latest Health Insurance Portability and Accountability Act (HIPAA) privacy rules has certain rights, including rights to access and amend their health information and to obtain a record of when and why their Protected Health Information (PHI) record has bee

At first glance, Chicago's latest crime-fighting strategy seems to be plucked from a Hollywood screenplay. Someone sees a thief dipping into a Salvation Army kettle in a crowd of shoppers on State Street and dials 911 from a cellphone. Within seconds, a video image of the caller's location is beamed onto a dispatcher's computer screen. An officer arrives and by police radio is directed to the suspect, whose description and precise location are conveyed by the dispatcher watching the video, leading to a quick arrest. That chain of events actually happened in the Loop in December, said Ray Orozco, the executive director of the Chicago Office of Emergency Management and Communications. "We can now immediately take a look at the crime scene if the 911 caller is in a location within 150 feet of one of our surveillance cameras, even before the first responders arrive," Mr. Orozco said. The technology, a computer-aided dispatch system, was paid for with a $6 million grant from the Department of Homeland Security. It has been in use since a trial run in December. "One of the best tools any big city can have is visual indicators like cameras, which can help save lives," Mr. Orozco said. In addition to the city's camera network, Mr. Orozco said, the new system can also connect to cameras at private sites like tourist attractions, office buildings and university campuses. Twenty private companies have agreed to take part in the program, a spokeswoman for Mr. Orozco said, and 17 more are expected to be added soon. Citing security concerns, the city would not say how many cameras were in the system. Mayor Richard M. Daley said this week that the integrated camera network would enhance regional security as well as fight street crime. Still, opponents of Mr. Daley's use of public surveillance cameras described the new system as a potential Big Brother intrusion on privacy rights. "If a 911 caller reports that someone left a backpack on the sidewalk, wil

A leading technology advisor to President Obama said in a research note for his investment firm today that privacy and net neutrality will be among the biggest telecommunications issues facing the Federal Communications Commission and the administration going forward. Analyst Blair Levin, who was the co-lead of Obama's technology and innovation team along with nominated FCC Chair Julius Genachowski, wrote in a Stifel Nicolaus research note that the economic crisis and change of administration will shift the focus of telecom policy away from traditional phone companies to "Internet/edge" players. Indeed, Google and other Web video and voice companies like Skype have been increasingly active in recent years at the FCC, pushing particularly for net neutrality rules that would prevent carriers from blocking or charging more for certain content that travels over the Web. Levin said in a note that net neutrality will emerge again as an issue in the new administration for wireless networks. On the other hand, there won't likely be a push for new net neutrality rules for cable, DSL, and fiber network carriers at the FCC. "(There is a) consensus emerging that disputes about whether a wireline network management tool is 'reasonable' (or is actually blocking or degrading traffic) to be resolved on a case-by-case basis," Levin wrote in the note with analysts Rebecca Arbogast and David Kaut. It would be a tough climb to impose rules that force wireless carriers to open their networks. Apple and AT&T successfully argued to lawmakers and regulators to keep their exclusive iPhone contract. Skype's petition to the FCC to force carriers to allow any handset or software to operate on any network was shot down by former FCC Chairman Kevin Martin. He said the biggest "sleeper" issue will be privacy. With a major overhaul of healthcare records to the Web, the rise in behavioral advertising and cloud computing, where information is stored in computers strung across many geographies

Just days after President Obama signed a law giving billions of dollars to develop electronic health records, a university technology professor submitted a paper showing that he was able to uncover tens of thousands of medical files containing names, addresses and Social Security numbers for patients seeking treatment for conditions ranging from AIDS to mental health problems. Using peer-to-peer applications, which computer users download to share files, most commonly music and movies, M. Eric Johnson, director of the Center for Digital Strategies at Dartmouth College in Hanover, N.H., was able to access electronic medical records on computers that had the peer-to-peer programs stored on their hard drives. The medical files contained detailed personal data on physical and mental diagnoses, which a hacker could use to not only embarrass a patient but also to commit medical fraud. One of the largest stashes of medical data Johnson discovered during two weeks of research he conducted in January was a database containing two spreadsheets from a hospital he declined to identify. The files contained records on 20,000 patients, which included names, Social Security numbers, insurance carriers and codes for diagnoses. The codes identified by name four patients infected with AIDS, the mental illnesses that 201 others were diagnosed as having and cancer findings for 326 patients. Data also included links to four major hospitals and 355 insurance carriers that provided health coverage to 4,029 employers and 266 doctors.

A group of federal agencies and private organizations, including the National Security Agency and the Department of Homeland Security, has released a set of guidelines defining the top 20 things organizations should do to prevent cyberattacks. The Consensus Audit Guidelines (CAG) describe the 20 key actions, referred to as security controls, that organizations should take to defend their computer systems. The controls are expected to become baseline best practices for computer security, following further public- and private-sector review. CAG is being led by John Gilligan, formerly the CIO for both the U.S. Air Force and the U.S. Department of Energy, and a member of the Obama transition team dealing with IT in the Department of Defense and various intelligence agencies. "We are in a war, a cyberwar," Gilligan said on a media conference call. "And the federal government is one of many large organizations that are being targeted. Our ability at present to detect and defend against these attacks is really quite weak in many cases." Borrowing an analogy he attributed to an unnamed federal CIO, Gilligan said, "We're bleeding badly and we really need triage and we need to focus on things that will keep this patient alive." The CAG initiative represents part of a larger effort, backed by the Center for Strategic and International Studies (CSIS) in Washington, D.C., to implement recommendations from the CSIS Commission report on Cybersecurity for the 44th Presidency.

Bruce Schneier is the chief security technology officer at BT and a celebrated writer and speaker on privacy, cryptography and security issues. Welcome to the future, where everything about you is saved. A future where your actions are recorded, your movements are tracked, and your conversations are no longer ephemeral. A future brought to you not by some 1984-like dystopia, but by the natural tendencies of computers to produce data. Data is the pollution of the information age. It's a natural byproduct of every computer-mediated interaction. It stays around forever, unless it's disposed of. It is valuable when reused, but it must be done carefully. Otherwise, its after effects are toxic. And just as 100 years ago people ignored pollution in our rush to build the Industrial Age, today we're ignoring data in our rush to build the Information Age. Increasingly, you leave a trail of digital footprints throughout your day. Once you walked into a bookstore and bought a book with cash. Now you visit Amazon, and all of your browsing and purchases are recorded. You used to buy a train ticket with coins; now your electronic fare card is tied to your bank account. Your store affinity cards give you discounts; merchants use the data on them to reveal detailed purchasing patterns.

In Deloitte's sixth annual Global Security Survey, people are the problem. "[P]eople continue to be an organization's greatest asset as well as its greatest worry," Adel Melek, global leader of security and privacy services at Deloitte Touche Tohmatsu, said in the report. "That has not changed from 2007. What has changed is the environment. The economic meltdown was not at its peak when respondents took this survey. If there was ever an environment more likely to facilitate an organization's people being distracted, nervous, fearful, or disgruntled, this is it. To state that security vigilance is even more important at a time like this is an understatement." On one level, that couldn't be more obvious: It's not as if anyone worries about squirrels hacking servers; security has always been about people. (Robots, the report says, are unlikely to replace the human workforce during the lifetime of anyone reading the report. Finally, some good employment news.) Yet despite the obviousness of the problem, the obvious solution -- complete denial of access -- doesn't work. People use computers and computers are more useful when connected and it just gets worse from there. That may explain why identity and access management remained top of mind for survey respondents. Deloitte's survey, drawn from major financial companies around the globe, focuses on governance, investment, risk, use of security technologies, quality of operations, and privacy. It includes some good news -- external breaches have declined sharply over the past year -- and troublesome news -- fewer companies say they have the commitment and funding to address regulatory compliance. In terms of risk, specifically information systems failure, people are identified as the most significant vulnerability. "Human error is overwhelmingly stated as the greatest weakness this year (86%), followed by technology (a distant 63%)," the report states. It attributes the rising risk to increased adoption of new techno

Affixing a dollar cost to a problem has immense benefit, and The Ponemon Institute goes to great lengths to arrive at the figures for its Annual Cost of a Data Breach Study. We painstakingly analyzed the financial impact a data breach has on a company by examining 43 different companies from a cross section of industries, all of which experienced a significant data breach affecting a range of data records representative of the norm. And knowing that a data breach may cost your company $6.65 million dollars may be all the information that is needed for a company to assign an appropriate budget to those tasked with information security. In 2008 the average total cost of a data breach was $6.65 million, up from $6.35 million last year and $4.54 in 2005. In 2008, the per-victim cost of a data breach was $202, up from $197 in 2007, and from $138 when the study was launched in 2005. Breaches involving a third party to which data had been outsourced bore a per-victim cost of $231, whereas self contained breaches bore a per-victim cost of $179. Breaches that were the result of a malicious act bore a per-victim cost of $225, whereas breaches that were the result of negligence bore a per-victim cost of $199. Breaches that were the result of a lost of stolen laptop computer bore a per-victim cost of $249, whereas breaches that did not involve a lost or stolen laptop computer bore a per-victim cost of $177. If the data breach was a first-time event for the company the per victim cost was $243, but if the company had experienced a breach previously the per victim cost was $192. The simple conclusion to these numbers is clear: the financial impact for a company that experiences a data breach is significant and rising. That finding alone may be alarming, but it seems to merely quantify what most people already knew to be true. The "wow" factor comes when you realize that we haven't simply identified the cost of an inevitable outcome, as if to tell the world, "buckle up and brac

Do you know where your friends are? If not, Google wants to help you find them. Today, Google introduced Latitude, a new opt-in feature that lets smartphone and laptop users share their location with friends and allows those friends to share their locations in return. Although not pinpoint accurate, Latitude can display your general location based on information from GPS satellites and cell towers. Latitude works on both mobile devices and personal computers. What Latitude can do Once you and your friends have opted in to Latitude, you can see your friends' Google icon displayed on Google Maps. Clicking on their icon allows you to call, email or IM them, and you can even use the directions feature on Google Maps to help you get to their location. Google says Latitude works in 27 countries and with many mobile platforms including iGoogle with your computer. The list of compatible phones are: *Android-powered devices, such as the T-Mobile G1 *iPhone and iPod touch devices (coming soon) *most color BlackBerry devices *most Windows Mobile 5.0+ devices *most Symbian S60 devices (Nokia smartphones) *many Java-enabled (J2ME) mobile phones, such as Sony Ericsson devices (coming soon)