CIPP Information Privacy & Security News

Brief descriptions and links to professional certifications in information security, physical security, audit, investigations, business continuity and more. Certifications provide a way to expand and/or demonstrate professional expertise. A wide variety of certifications are available in security and related disciplines. This directory will compile brief descriptions of certs in information and physical security, business continuity, audit and other areas, with links to details from the issuing organizations. Notes: -- This list will be updated and expanded at The Security Certification Directory on csoonline.com. -- Vendor-specific security certifications will be added in the near future.

In belt-tightening times, making the case for security investment is more difficult than ever. Security Catalyst founder Michael Santarcangelo details five steps risk professionals can use to communicate value effectively. The biggest challenge security teams face in their organization is one of perception, according to Michael Santarcangelo, founder of Security Catalyst, a New York-based consultancy focused on changing the way people protect information. Santarcangelo, who was recently a keynote speaker at the CSO Perspectives conference, said professionals focused on security are practiced at looking at risks and reducing them. Unfortunately, the rest of society often doesn't see risks the same way, making communication difficult (See also: Security and Business: Communication 101). "They lack relevant context," said Santarcangelo. "So security people get wrapped up in thinking: 'The CFO wants an ROI. We better work on ROI.' But what the CFO is really saying is:' I don't understand what you do. So you have to justify it to me.' Santarcangelo outlined his strategies for making the case for security investments at the three-day event held in Clearwater, Florida. He gave an audience of security professionals the details of his five step process for getting executives and boards to understand, and even approve, spending decisions in tough economic times. Create Santarcangelo believes one of the most effective ways to communicate value is to place focus back on the person to whom you are trying to make your pitch (See also: A CEO and CSO Who Actually Communicate). "The reason why someone changes a behavior or takes an action is because there is an inherent benefit to the person," said Santarcangelo. "But when many people start to create, they forget that. They tend to fall into the trap of thinking: 'I'm really smart and I know a lot of stuff. So I'm just going to say it and hope they will understand the value of it.'" Instead, Santarcangelo recommends creating

The discovery of documents with students' personally identifying information stored in an unlocked room has launched protests against the university's chief information security officer. Students at Binghamton University in New York are circulating a petition to remove the university's chief information security officer following the discovery of boxes full of documents listing personal information of students and parents in an unlocked storage room. The existence of the unsecured documents was discovered March 6 by a reporter working for student radio station WHRW and disclosed on March 9. For that investigative work, the student reporter could face criminal charges. Binghamton University has had other recent problems with information security. In the past year, according to an article written by Robert Glass, the WHRW news director, university employees accidentally e-mailed the Social Security numbers of 338 students to another group of 200 students, sent the personal information of exchange students -- passport scans and birth certificates -- to student groups, and disposed of information about more than 70 former graduate students in trash bins atop a pile of shredded documents. Those breaches led the university to create an information security council, with a full-time information security officer, to prevent further incidents, according to Glass. Glass did not immediately respond to a request for comment. A University spokeswoman characterized the hiring of Terry Dylewski as the university's chief information security officer as a reflection of the school's ongoing concern about information security rather than a response to past breaches. Asked about the status of the students' petition to remove Dylewski, as reported by Broome County Fox affiliate WICZ TV, she said that question should be directed to the students. The spokeswoman said the university is treating the incident as a possible crime and that a criminal investigation is ongoing. She sai

Visa Inc. last week removed breached payment processors Heartland Payment Systems Inc. and RBS WorldPay Inc. from its list of companies that are compliant with the PCI data-security rules. But analysts said the move may be more about protecting Visa itself than about safeguarding payment card data. In a terse statement issued last Friday, Visa said it was removing Heartland and RBS WorldPay from its list of service providers compliant with PCI (download PDF) in response to the recent data breaches disclosed by each company. The decision to delist the two payment processors was based on "compromise event findings," Visa said without elaborating. The company added that it would "consider" putting Heartland and RBS WorldPay back on the compliant list, but only after they are recertified by a third-party assessor. Meanwhile, reports posted by online news site BankInfoSecurity.com and several blogs that follow the payment card industry also cited a March 12 letter from a Visa executive to banks notifying them that Heartland was now "in a probationary period" during which it would have to meet more stringent security requirements than usual. Strictly speaking, Visa's actions mean that merchants can't use either Heartland or RBS WorldPay to process payments if they themselves want to remain compliant with the PCI rules, which are formally known as the Payment Card Industry Data Security Standard (PCI DSS), said Gartner Inc. analyst Avivah Litan.

A list of user names and passwords for customers of Comcast, one of the nation's largest Internet service providers, sat unprotected on the Web for the last two months. The list was 8,000 lines long, but Comcast said late Monday that just 700 of those lines contained information for active customer accounts. Kevin Andreyo, an educational technology specialist in Reading, Pa., and a professor at Wilkes University, came across the list Monday on Scribd, a document-sharing Web site. Mr. Andreyo was reading a recent article in PC World entitled "People Search Engines: They Know Your Dark Secrets… And Tell Anyone," when he was inspired to find out what information about him was online. He searched for his own e-mail address on the search engine Pipl. The list on Scribd was one of four results, and it also included his password, which was a riff on his love for a local sports team. Statistics on Scribd indicated that the list, which was uploaded by someone with the user name vuthanhan2004, had been viewed over 345 times and had been downloaded 27 times.

On Wednesday, February 11, 2009, the Data Protection Working Party, an independent European advisory body on data protection and privacy, released its Working Document 1-2009 (.pdf) on pre-trial discovery for cross border civil litigation. The Working Document attempts to reconcile the tension between U.S. discovery rules and the European Union's Directive 95/46/EC (.pdf), which outlines the EU's privacy requirements. What follows is a summary of the Working Document and an analysis of how it begins to bridge the gap between U.S. discovery rules and the European privacy framework. The Working Document offers guidance to EU data controllers responding to U.S. discovery requests. As the Working Document explains, those controllers often find themselves in a bind. On the one hand, U.S. law allows for broad discovery, which may require a controller to provide, or "process," personal data of customers or employees. On the other hand, Article 7 of EU Directive 95/46 limits a member state's authority to process such data. Under Article 7, a member state may process personal data only if one of six identified grounds for processing applies. The Working Document considers the Article 7 grounds most likely to supply a legitimate basis for compliance with a discovery request - namely 1) consent, 2) necessary for compliance with a legal obligation, and 3) necessary for the purposes of a legitimate interest, where such interests are not "overridden by the interests for fundamental rights and freedoms of the data subject." Recognizing that the "interests of justice would be served by not unnecessarily limiting the ability of an organisation to act to promote or defend a legal right," the Working Document suggests that the third basis - necessary for the purposes of a legitimate interest - will often provide a ground for processing data in response to a U.S. discovery request.

The following is an excerpt from the book The Truth About Identity Theft. In this section of Chapter 11: Social Engineering (.pdf), author Jim Stickley explains how easy it really is to hack a password. People often ask me how hard it is to hack a password. In reality, it is rare that I ever need to hack someone's password. Though there are numerous ways to gain passwords on a network and hundreds, if not thousands, of tools available to crack encrypted passwords, in the end I have found that it is far easier to simply ask for them. A perfect example of this type of attack was a medium-sized bank that I was testing recently. The bank's concern was related to the new virtual private network (VPN) capabilities it had rolled out to a number of its staff. The VPN allowed staff to connect directly to their secured network while at home or on the road. There is no doubt that a VPN can increase productivity, but there are some pretty major risks that can come with that convenience. The bank explained that the VPN was tied into its Active Directory server. For people who are not technical, basically this just means that when employees log in via the VPN, they use the same credentials they use to log on to their computer at the office. So I went back to my office, sat down, and picked up the phone. The first call I made was to find out the name of an employee in the IT department. I called the company's main line to the bank, pressed 0, and asked to speak with someone in the IT department. I was asked what I was calling about, so I told the employee I was receiving emails from that bank that seemed malicious. I could have used a number of excuses, but I have found that if you tie in an unhappy customer with a potential security issue, your call gets further up the food chain. In this case, I reached a man who I will call Bill Smith. I made up a story about the email, and after a few minutes, he was able to explain to me that I had called the wrong bank and it was actuall

In this new age of data protection, where most information is stored digitally and paper shredding is commonplace, you don't need to worry about private information ending up in the garbage, right? Steve Hunt shows that assumption is just plain wrong (includes video).

Visit the Amazon.com site to buy a book online and your welcome page will include recommendations for other books you might enjoy, including the latest from your favorite authors, all based on your history of purchases. Most customers appreciate these suggestions, much the way they would recommendations by a local librarian. But, what if you visited an investment site, only to find advertising messages suggesting therapies for your recently diagnosed heart condition? Chances are that you would experience what Fran Maier calls the "creepiness" factor, a sense that someone has been snooping into a part of your life that should remain private. Maier is the Executive Director of TrustE, a nonprofit that sets guidelines for online privacy and awards a seal of approval to companies meeting those guidelines. She was a speaker at the recent Supernova conference, an annual technology event in San Francisco organized by Wharton legal studies and business ethics professor Kevin Werbach in collaboration with Wharton. Creepiness Factor The creepiness factor is a risk inherent in so-called behavioral targeting. This practice is based on marketers anonymously observing a user's behavior on the Internet and compiling a personal profile based on interests and behavior -- sites visited, searches conducted, articles read, even emails written and received. Based on their profiles, users receive advertising targeted specifically to them, regardless of where they travel on the web. Consumer advocates worry that online data collection and tracking is going too far. Marketing executives counter that consumers benefit from seeing advertising relevant to their interests and contend that relinquishing some personal data is a reasonable trade-off for free access to Internet content, much of it supported by advertising.

A Harvard University fellow has developed a browser extension that stops advertising networks from tracking a person's surfing habits, such as search queries and content they view on the Web. The extension, called Targeted Advertising Cookie Opt-Out (TACO), enables its users to opt out of 27 advertising networks that are employing behavioral advertising systems, wrote Christopher Soghoian, who developed it, on his Web site. Soghoian, a fellow at the Berkman Center for Internet and Society at Harvard and a doctoral candidate at Indiana University, modified a browser extension Google released under an Apache 2 open-source license. Google's opt-out plugin for Internet Explorer and Firefox blocks cookies delivered by its Doubleclick advertising network. A cookie is a small data file stored in a browser that can track a variety of information, such as Web sites visited and search queries, and transmit that information back to the entity that placed the cookie in the browser. Google's opt-out plugin comes as the company announced plans last week to target advertisements based on the sites people visit. Targeted advertising is seen as a way for advertisers to more precisely find potential customers as well as for Web site publishers to charge higher advertising rates. But the behavioral advertising technologies have raised concern over how consumers get enrolled in the programs, what data is being tracked and how the data is protected.

The Electronic Privacy Information Center formally asked the Federal Trade Commission on Tuesday to investigate the privacy and security safeguards of Gmail, Google Docs and other so-called cloud computing services offered by Google to consumers. The filing points to a security breach earlier this month that may have improperly exposed the files of Google Docs users to others. It asks the F.T.C. to look into the adequacy of privacy and security safeguards of Google's services and to require Google to be accountable for breaches. It also asks the agency to force Google to make its security policies more transparent and to disclose any breaches. It also asks the F.T.C. to enjoin Google from offering cloud computing services until it establishes verifiable safeguards. The full filing is available here. Marc Rotenberg, EPIC's executive director, said he was concerned about all cloud computing services, which encourage users to store a growing number of documents on the servers of companies like Google, Yahoo, Microsoft and others. But he said that EPIC focused on Google because it is the primary provider of cloud computing services to consumers.

In the paradises of broadband - Japan, South Korea and Sweden - nearly everyone can surf far faster and far cheaper than anyone in the United States. What is their secret sauce and how can we get some? The short answer is that broadband deployment in those countries was spurred by a combination of heavy government involvement, subsidies and lower corporate profits that may be tough for the economic and political system in the United States to accept. Those countries have also tried to encourage demand for broadband by paying schools, hospitals and other institutions to use high-speed Internet services. Sweden has built one of the fastest and most widely deployed broadband networks in Europe because its government granted tax breaks for infrastructure investments, directly subsidized rural deployment, and, perhaps most significantly, required state-owned municipal utilities to create local backbone networks, reducing the cost for the local telephone company to provide service. Japan let telecommunications companies write down about one-third of their investment in broadband the first year, rather than the usual policy, which requires them to spread the deductions over 22 years. The Japanese government also subsidized low-cost loans for broadband construction and paid for part of the wiring of rural areas.

The debate on Internet privacy has begun in Congress. I had a chance to sit down recently with Representative Rick Boucher, the long-serving Virginia Democrat, who has just replaced Ed Markey, the Democrat from Massachusetts, as the chairman of the House Subcommittee looking after telecommunications, technology and the Internet. Mr. Boucher is widely regarded as one of the most technologically savvy members of Congress. As he ticked off his top priorities for his panel, most involved the pressing demands of telecommunications regulation. There is a law governing how local TV stations are carried on satellite broadcasters that needs to be renewed. There is the Universal Service Fund, which takes money from most telephone customers to pay for rural service to be improved. And there is the conversion to digital television and the investments in rural broadband to be supervised. But high on his list is a topic that is very much under his discretion: passing a bill to regulate the privacy of Internet users. "Internet users should be able to know what information is collected about them and have the opportunity to opt out," he said. While he hasn't written the bill yet, Mr. Boucher said that he, working with Representative Cliff Stearns, the Florida Republican who is the ranking minority member on the subcommittee, wants to require Web sites to disclose how they collect and use data, and give users the option to opt out of any data collection. That's not a big change from what happens now, at least on most big sites.

Here's the paper's abstract: This paper presents a novel technique for authenticating physical documents based on random, naturally occurring imperfections in paper texture. We introduce a new method for measuring the three-dimensional surface of a page using only a commodity scanner and without modifying the document in any way. From this physical feature, we generate a concise fingerprint that uniquely identifies the document. Our technique is secure against counterfeiting and robust to harsh handling; it can be used even before any content is printed on a page. It has a wide range of applications, including detecting forged currency and tickets, authenticating passports, and halting counterfeit goods. Document identification could also be applied maliciously to de-anonymize printed surveys and to compromise the secrecy of paper ballots.

Google has moved forward the debate about privacy and Internet advertising, in its typical way, with deceptively simple engineering and a willingness to impose its way on others. On Wednesday, Google became the last of the big advertising companies to start keeping track of where Internet users surf online so ads can be shown to people based on what they might be interested in buying. In its approach to ad targeting, the company is responding to calls by the Federal Trade Commission and others to be more clear with users' information and control over the information it collects. It has created a window into part of its database, so users can see that Google has deduced that they are interested in "Anime & Manga" comics, or "Alternative-Punk-Metal" music or travel to Afghanistan. (Yes, those are on its list of 600 interest categories.) It also built technology to allow your browser to remember that you don't want Google (or its DoubleClick unit) to remember anything about you. It is more robust than the opt-out system used by many companies that rely on cookies in browsers. These are technical feats that other ad companies said would be too hard.

The Swiss government Friday noon announced that it will adopt the OECD standard on administrative assistance in tax matters, which is part of the OECD's Model Tax Convention. As a result Switzerland will exchange information with other governments in individual cases where "a specific and justified request has been made" for any form of tax offense. Accepting the standard will require renegotiating existing bilateral treaties. Requests from other governments, made according to the standard, will be honoured once new treaties go into effect. Ed. note: it was widely reported Friday that Switzerland has agreed to assist other governments in cases of tax evasion, not just fraud. While this may be the result of the 13 March announcement, Switzerland specifically states that it intends to adopt the convention "in accordance with Art. 26 of the OECD Model Tax Convention."

Bits readers have a serious case of broadband envy. I've been writing about the debate about how the government might encourage more high-speed Internet use and you've complained loudly that people in other countries have faster, cheaper, more widely available broadband service. Even customer-service representatives of Internet service providers overseas are nicer too. I don't know about manners, but it's easy to find examples that American's broadband is second-rate: In Japan, broadband service running at 150 megabits per second (Mbps) costs $60 a month. The fastest service available now in the United States is 50 Mbps at a price of $90 to $150 a month. In London, $9 a month buys 8 Mbps service. In New York, broadband starts at $20 per month, for 1 Mbps. In Iceland, 83 percent of the households are connected to broadband. In the United States, the adoption rate is 59 percent. There's more than just envy at stake here. President Obama campaigned on a promise of fast broadband service for all. On the White House Web site, he writes "America should lead the world in broadband penetration and Internet access." And the recent stimulus bill requires the Federal Communications Commission to create a national broadband plan in order to make high-speed Internet service both more available and more affordable. I've spent the last week trolling through reports and talking to people who study broadband deployment around the world to see what explains the faster and cheaper service in many countries. We'll start with where the United States isn't doing quite so badly: the basic speed of broadband service. If you take out the countries that have made significant investment in fiber optic networks - Japan, Korea and Sweden - the United States is in the middle of the pack when it comes to network speed.

Broadband is cheaper in many other countries than in the United States. "You have a pretty uncompetitive market by European standards," said Tim Johnson, the chief analyst at Point-Topic, a London consulting firm. Other countries have lower costs for the same reasons their DSL service is faster. Dense urban areas reduce some of the cost of building networks. In addition, governments in some countries subsidized fiber networks. But the big difference between the United States and most other countries is competition. "Now hold on there," you might say to me. Since I wrote that many countries don't have cable systems and the bulk of broadband is run by way of DSL through existing phone wires, how can there be competition? Aren't those owned by monopoly phone companies? True enough. But most big countries have devised a system to create competition by forcing the phone companies to share their lines and facilities with rival Internet providers. Not surprisingly, the phone companies hate this idea, often called unbundling, and tend to drag their feet when it is introduced. So it requires rather diligent regulators to force the telcos to play fair. And the effect of this scheme depends a lot on details of what equipment is shared and at what prices. Britain has gone the furthest, forcing BT Group to split off a unit that operates the actual network and sells to various voice and Internet providers, including its own telephone service, on an equal basis. The United States was early with this sort of approach, requiring telephone companies to allow rival Internet service providers to sell DSL service using their networks. The way these rules were written, however, meant the wholesale cost was so high that providers like AOL and Earthlink couldn't offer a better deal than the telcos themselves. And the plan was largely abandoned in 2003 by the Federal Communications Commission on the theory that the country is better served by encouraging competition

As arguments swirl over online privacy, a new survey indicates the issue is a dominant concern for Americans. More than 90 percent of respondents called online privacy a "really" or "somewhat" important issue, according to the survey of more than 1,000 Americans conducted by TRUSTe, an organization that monitors the privacy practices of Web sites of companies like I.B.M., Yahoo and WebMD for a fee. When asked if they were comfortable with behavioral targeting - when advertisers use a person's browsing history or search history to decide which ad to show them - only 28 percent said they were. More than half said they were not. And more than 75 percent of respondents agreed with the statement, "The Internet is not well regulated, and naïve users can easily be taken advantage of." The survey arrives at a fractious time. Debate over behavioral advertising has intensified, with industry groups trying to avoid government intervention by creating their own regulatory standards. Still, some Congressional representatives and the Federal Trade Commission are questioning whether there are enough safeguards around the practice. Last month, the F.T.C. revised its suggestions for behavioral advertising rules for the industry, proposing, among other measures, that sites disclose when they are participating in behavioral advertising and obtain consumers' permission to do so. One F.T.C. commissioner, Jon Leibowitz, warned that if the industry did not respond, intervention would be next. "Put simply, this could be the last clear chance to show that self-regulation can - and will - effectively protect consumers' privacy," Mr. Leibowitz said, or else "it will certainly invite legislation by Congress and a more regulatory approach by our commission." Some technology companies are making changes on their own. Yahoo recently shortened the amount of time it keeps data derived from searches. It is also including a link in some ads that explains how

As your day ticks by, it seems that everything you do can leave a data trail. From your purchases online to the resumes you post, to health care transactions made with your insurance cards, you probably are exposing your own personal data to possible snooping, fraud, or identify theft. "Having so much sensitive information available makes it even more difficult for other organizations to release information that is effectively anonymous," says Latanya Sweeney, associate professor of computer science, technology and policy, and director of Carnegie Mellon's Data Privacy Lab. Sweeney demonstrated that birth date, gender and 5-digit ZIP code is enough to identify 87 percent of people in the U.S. One year ago, Sweeney started to pull together a group of faculty who were looking at issues relating to privacy and security, and working toward possible solutions. In the Internet age, few areas of our private lives-and what U.S. Supreme Court Justice Louis Brandeis called "the right to be left alone"- remain untouched by technology. Lorrie Cranor, associate research professor in the School of Computer Science, and director of Carnegie Mellon's Usable Privacy and Security Laboratory, describes Carnegie Mellon as "the place to be for privacy research." She explains, "There's a concentration of researchers and experts here that you just don't find at any other university." So how do these Carnegie Mellon experts suggest you protect yourself when you find the information technology that drives your everyday life to be more sophisticated than you are? Here is a sample of some of their creative solutions-your wake-up call for keeping your data "self" both private and secure.