Cybercrime
January 30, 2012
* Domain-based Message Authentication, Reporting & Conformance

"DMARC, which stands for "Domain-based Message Authentication, Reporting & Conformance", is a technical specification created by a group of organizations that want to help reduce the potential for email-based abuse by solving a couple of long-standing operational, deployment, and reporting issues related to email authentication protocols. DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms. This means that senders will experience consistent authentication results for their messages at AOL, Gmail, Hotmail, Yahoo! and any other email receiver implementing DMARC. We hope this will encourage senders to more broadly authenticate their outbound email which can make email a more reliable way to communicate."

January 25, 2012
* UK Report: Serious Economic Crime - A boardroom guide to prevention and compliance

Serious Economic Crime - A boardroom guide to prevention and compliance, January 2012 [312 pages, UK government]

  • "It is significant that, for this first edition of Serious Economic Crime [Combating major fraud and corruption], published by White Page in association with the Serious Fraud Office, lawyers from the private sector – more usually known for defending clients against allegations of serious fraud – have been asked to contribute to, and indeed edit, the publication. Until relatively recently, the way in which defence lawyers and the SFO were likely to interact was as part of the traditional model of the investigation and prosecution of serious fraud. This would often involve, as far as the suspect was concerned, high-profile arrests and the simultaneous execution of several search warrants early in the morning, followed perhaps by a series of interviews under caution over many months, the eventual bringing of charges, heavily fought interlocutory hearings, battles over disclosure, and ultimately the often lengthy adversarial trial process. While it is certainly the case that all of these things still occur regularly, a large part of the discussion in this book is about a new, more consensual approach towards corporate crime on the part of the SFO, how that is operating in practice, and how it is likely to develop."
  • January 19, 2012
    * National Initiative for Cybersecurity Education - Workforce Framework

    "The NICE Cybersecurity Workforce Framework offers a working taxonomy and common lexicon that can be overlaid onto any organization's existing occupational structure. Although much work has gone into this framework, we need to ensure that it can be adopted and used across the nation. We are actively seeking to refine this framework with input from every sector of our nation's cybersecurity stakeholders. You are an integral part of this process. NICE requests that you please contribute your expertise in the field of cybersecurity by reviewing the NICE Cybersecurity Workforce Framework document and providing your public comments using the comments template."

    January 18, 2012
    * Google Launches Good to Know Campaign for Internet Safety

    "Google’s Good to Know campaign aims to help people stay safe on the Internet and manage the information they share online. The website and ads provide easy to use tips and advice on online security, help on understanding the data users share and tools they can use to manage their data. Written in clear language and featuring practical examples to illustrate complex security and privacy issues, the website and advertising campaign aim to empower users to tackle their online security concerns and make more informed decisions about their internet use. The U.S. campaign includes adverts in newspapers, on public transport and online. Download all print ads – (PDF)."

    January 16, 2012
    * Zappos.com Email to 24 Millions Customers on Password Hacking

    January 15, 2012 - "Subject: Information on the Zappos.com site - please create a new password. First, the bad news: We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password). THE BETTER NEWS: The database that stores your critical credit card and other payment data was NOT affected or accessed. SECURITY PRECAUTIONS: For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password. We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information. PLEASE CREATE A NEW PASSWORD: We have expired and reset your password so you can create a new password. Please create a new password by visiting Zappos.com and clicking on the "Create a New Password" link in the upper right corner of the web site and follow the steps from there. We sincerely apologize for any inconvenience this may cause. If you have any additional questions about this process, please email us at passwordchange@zappos.com"

    January 14, 2012
    * White House Responds to SOPA and PIPA

    Follow up to previous posting on ALA - PIPA, SOPA and the OPEN Act Quick Reference Guide, via the White House, Combating Online Piracy while Protecting an Open and Innovative Internet

  • "Right now, Congress is debating a few pieces of legislation concerning the very real issue of online piracy, including the Stop Online Piracy Act (SOPA), the PROTECT IP Act and the Online Protection and Digital ENforcement Act (OPEN). We want to take this opportunity to tell you what the Administration will support—and what we will not support. Any effective legislation should reflect a wide range of stakeholders, including everyone from content creators to the engineers that build and maintain the infrastructure of the Internet. While we believe that online piracy by foreign websites is a serious problem that requires a serious legislative response, we will not support legislation that reduces freedom of expression, increases cybersecurity risk, or undermines the dynamic, innovative global Internet."
  • January 04, 2012
    * EPIC Urges Appeals Court to Shed Light on Google-NSA Agreement

    "EPIC filed the opening brief in EPIC v. NSA, No. 11-5233, challenging the National Security Agency’s response to EPIC's Freedom of Information Act request. EPIC is seeking information about the widely publicized cybersecurity agreement between the NSA and Google that followed the January 2010 China hack. The NSA claimed it "could neither confirm nor deny" the existence of any information about its relations with Google. After the attack, Google's implemented encryption technology for Gmail by default, a privacy safeguard EPIC and technical experts had urged in 2009. For more information, see EPIC v. NSA: Google / NSA Relationship."

    December 18, 2011
    * FTC Warns That Rapid Expansion of Internet Domain Name System Could Leave Consumers More Vulnerable to Online Fraud

    News release: "The Federal Trade Commission today sent a letter to the Internet Corporation for Assigned Names and Numbers (ICANN), the organization that oversees Internet domain names, expressing concern that the organization's plan to dramatically expand the domain name system could leave consumers more vulnerable to online fraud and undermine law enforcers' ability to track down online scammers. In its letter to ICANN, the Commission warned that rapid expansion of the number of generic top-level domain names (gTLDs) – the part of the domain name to the right of the dot, such as ".com," ".net" and ".org" – could create a "dramatically increased opportunity for consumer fraud," and make it easier for scam artists to manipulate the system to avoid being detected by law enforcement authorities. The Commission urged ICANN – before approving any new gTLD applications – to take additional steps to protect consumers, including starting with a pilot program to work out potential problems."

    December 15, 2011
    * Blueprint for a Secure Cyber Future: The Cybersecurity Strategy for the Homeland Security Enterprise

    "The Blueprint for a Secure Cyber Future builds on the Department of Homeland Security Quadrennial Homeland Security Review Report’s strategic framework by providing a clear path to create a safe, secure, and resilient cyber environment for the homeland security enterprise. With this guide, stakeholders at all levels of government, the private sector, and our international partners can work together to develop the cybersecurity capabilities that are key to our economy, national security, and public health and safety. The Blueprint describes two areas of action: Protecting our Critical Information Infrastructure Today and Building a Stronger Cyber Ecosystem for Tomorrow. The Blueprint is designed to protect our most vital systems and assets and, over time, drive fundamental change in the way people and devices work together to secure cyberspace. The integration of privacy and civil liberties protections into the Department’s cybersecurity activities is fundamental to safeguarding and securing cyberspace."

  • The Atlantic Council: The New US “Blueprint” for National Cyber Security
  • December 11, 2011
    * Mozilla Firefox, Google Chrome or Microsoft Internet Explorer - Which Web Browser is Most Secured?

    "Accuvant LABS has just released some new research that compares the security of three of the most widely used web browsers – Mozilla Firefox, Google Chrome, and Microsoft Internet Explorer. Google commissioned Accuvant to perform this comprehensive and independently designed security analysis to help advance the discussion of best practices in the security community. Our research findings are extremely thorough and complete, so we decided to create this blog to summarize the results. Malware, spyware and viruses are all too familiar to those who regularly surf the web. These malicious programs can lead to system pop-ups, slowdowns, account takeovers, credit card theft, identity theft, and the theft of personally identifiable information. While antivirus and anti-malware can help prevent an infection, the first line of defense is using a secure web browser. For a person that surfs the internet, comparing and contrasting the security of different web browsers is difficult. Marketing materials are available to the average user, but they often contain direct contradictions and the reader ends up wondering which web browser is the most secure. Our research aims to fix that problem. We compared browsers from a layered perspective, taking into account security architecture and anti-exploitation techniques. Like antivirus or anti-malware software, each provides an additional layer of defense. The nice thing is, when anti-exploitation technology prevents an attack, anti-malware and antivirus aren't needed. The idea is that it’s a lot easier to keep a fortress with a moat safe than it is to protect a beach shack."

  • Browser Security Comparison - A Quantitative Approach
  • November 30, 2011
    * Protecting and promoting the UK in a digital world

    The UK Cyber Security Strategy - Protecting and promoting the UK in a digital world, November 2011

  • "Our vision is for the UK in 2015 to derive huge economic and social value from a vibrant, resilient and secure cyberspace, where our actions, guided by our core values of liberty, fairness, transparency and the rule of law, enhance prosperity, national security and a strong society."
  • November 24, 2011
    * Mapping the Mal Web - The world’s riskiest domains

    Mapping the Mal Web - The world’s riskiest domains, by Barbara Kay, CISSP, Secure by Design Group and Paula Greve, Director of Research, McAfee Labs

  • "McAfee has found overall web risk is up from last year. We saw increasing risk in some already risky portions of the web, such as .INFO; some significant reductions in risk within last year’s riskiest TLDs, especially Singapore (.SG) and Venezuela (.VE); and some new areas of concern, including Vietnam (.VN), Armenia (.AM), and Poland (.PL)...Next time you search for a celebrity photo or “how to” hint, pay special attention to the top-level domains (TLDs), the last few characters at the end of the URL in the search results. In this year’s Mapping the Mal Web study, McAfee found that web risk climbed to a record 6.2% of more than 27 million live domains we evaluated for this report. If users don’t click with care, simply viewing a page can return much more than they bargained for. This year, more websites contain malicious code that steals passwords and identity information, takes advantage of security holes in browsers, or secretly installs the ingredients that turn computers into zombies...
  • * FCC Launches the Small Biz Cyber Planner

    News release: "The FCC is launching the Small Biz Cyber Planner, an online resource to help small businesses create customized cybersecurity plans. This is the result of an unprecedented public-private partnership between government experts and private IT and security companies, including DHS, NCSA, NIST, The U.S. Chamber of Commerce, The Chertoff Group, Symantec, Sophos, Visa, Microsoft, HP, McAfee, The Identity Theft Council, ADP and others. The online tool is available at FCC.gov/cyberplanner. By almost any measure small businesses have an outsized impact on our economy and it is critically important that small businesses, a vibrant engine for job and idea creation, are secure using the many broadband enabled tools they need to efficiently run their businesses. According to a survey released in October, 2011 by Symantec and the National Cyber Security Alliance (NCSA), two-thirds of U.S. small businesses rely on broadband Internet for their day-to-day operations...This effort is part of an ongoing program to raise awareness about the cybersecurity risks to small businesses and to help these businesses become cyber-secure. Earlier this year, the FCC and a coalition of public and private-sector partners developed a cybersecurity tip sheet, which includes tips to educate business owners about basic steps they can take immediately to protect their companies. The tip sheet is available at FCC.gov/cyberforsmallbiz".

    November 21, 2011
    * McAfee Q3 2011 Threats Report Shows 2011 on Target to Be the Busiest in Mobile Malware History

    News release: "McAfee today released the McAfee Threats Report: Third Quarter 2011, which showed that the Android mobile operating system solidified its lead as the primary target for new mobile malware. The amount of malware targeted at Android devices jumped nearly 37 percent since last quarter, and puts 2011 on track to be the busiest in mobile and general malware history. Nearly all new mobile malware in Q3 was targeted at Android."

    November 20, 2011
    * Dept. of Energy IG - The Federal Energy Regulatory Commission's Unclassified Cyber Security Program - 2011

    Evaluation Report - The Federal Energy Regulatory Commission's Unclassified Cyber Security Program - 2011. OAS-M-12-01 November 2011.

  • "The Commission had taken actions to improve its cyber security posture and mitigate risks associated with certain issues identified during our FY 2010 evaluation. While these measures are noteworthy, our current evaluation disclosed that additional action is needed to further protect information systems and data. In particular, we continued to identify weaknesses related to the Commission's timely remediation of software vulnerabilities. Specifically, our testing found that additional opportunities existed for the Commission to ensure that all servers and workstations were patched in a timely manner."
  • November 14, 2011
    * DoD IA Policy Chart - Build and Operate a Trusted Global Information Grid

    "Building, operating and securing the Global Information Grid (GIG) for the Department of Defense is a complex and ongoing challenge. The Deputy Assistant Secretary of Defense (DASD) for Cyber Identity and Information Assurance has developed a strategy for meeting this challenge, which is available here: Build and Operate a Trusted GIG - Identity & Information Assurance Related Policies and Issuances - Developed by the DoD CIO, IIA Deputate. Last Updated: October 18, 2011. In the CIIA Strategy, the primary goal areas are as listed as follows:

    • Organize for unity of purpose and speed of action (shortened to "Organize" in the chart).
    • Enable secure mission driven access to information and services (shortened to "Enable" in the chart).
    • Anticipate and prevent successful attacks on data and networks (shortened to "Anticipate" in the chart).
    • Prepare for and operate through cyber degradation or attack (shortened to "Prepare" in the chart)."
    • The Information Assurance Technology Analysis Center (IATAC) is a U.S. Department of Defense Information Analysis Center (IAC) sponsored by the Defense Technical Information Center (DTIC), and Assistant Secretary of Defense Research and Engineering (ASDR&E). IATAC is hosted by Booz Allen Hamilton."

    November 10, 2011
    * National Initiative on Cybersecurity Education Workforce Framework

    "The NICE Cybersecurity Workforce Framework offers a working taxonomy and common lexicon that can be overlaid onto any organization's existing occupational structure. Although much work has gone into this framework, we need to ensure that it can be adopted and used across the nation. We are actively seeking to refine this framework with input from every sector of our nation's cybersecurity stakeholders."

    November 06, 2011
    * The Socialbot Network: When Bots Socialize for Fame and Money

    The Socialbot Network: When Bots Socialize for Fame and Money -
    Yazan Boshmaf, Ildar Muslukhov, Konstantin Beznosov, Matei Ripeanu -
    University of British Columbia Vancouver, Canada

  • "Online Social Networks (OSNs) have become an integral part of today's Web. Politicians, celebrities, revolutionists, and others use OSNs as a podium to deliver their message to millions of active web users. Unfortunately, in the wrong hands, OSNs can be used to run astroturf campaigns to spread misinformation and propaganda. Such campaigns usually start by in filrating a targeted OSN on a large scale. In this paper, we evaluate how vulnerable OSNs are to a large-scale infiltration by socialbots: computer programs that control OSN accounts and mimic real users. We adopt a traditional web-based botnet design and built a Socialbot Network (SbN): a group of adaptive socialbots that are orchestrated in a command-and-control fashion. We operated such an SbN on Facebook|a 750 million user OSN|for about 8 weeks. We collected data related to users' behavior in response to a large-scale in filtration where socialbots were used to connect to a large number of Facebook users. Our results show that (1) OSNs, such as Facebook, can be in filtrated with a success rate of up to 80%, (2) depending on users' privacy settings, a successful in filtration can result in privacy breaches where even more users' data are exposed when compared to a purely public access, and (3) in practice, OSN security defenses, such as the Facebook Immune System, are not e ffective enough in detecting or stopping a large-scale in filtration as it occurs."
  • October 28, 2011
    * NIST Publishes Guide for Monitoring Security in Information Systems

    Information Security Continuous Monitoring (ISCM) for Information Systems and Organizations (NIST Special Publication [SP] 800-137)

  • "Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. This publication specifically addresses assessment and analysis of security control effectiveness and of organizational security status in accordance with organizational risk tolerance. Security control effectiveness is measured by correctness of implementation and by how adequately the implemented controls meet organizational needs in accordance with current risk tolerance (i.e., is the control implemented in accordance with the security plan to address threats and is the security plan adequate).3 Organizational security status is determined using metrics established by the organization to best convey the security posture of an organization’s information and information systems, along with organizational resilience given known threat information."
  • October 27, 2011
    * DOE IG - The Department's Unclassified Cyber Security Program – 2011

    DOE IG Evaluation Report - The Department's Unclassified Cyber Security Program – 2011, DOE/IG-0856 October 2011

  • "The Department had taken steps over the past year to address previously identified cyber security weaknesses and enhance its unclassified cyber security program. While these were positive steps, additional action is needed to further strengthen the Department's unclassified cyber security program and help address threats to its information and systems. For example, our FY 2011 evaluation disclosed that corrective actions had been completed for only 11 of the 35 cyber security weaknesses identified in our FY 2010 review. In addition, we identified numerous weaknesses in the areas of access controls, vulnerability management, web application integrity, contingency planning, change control management, and cyber security training. While many of the same or similar issues had been noted in prior FISMA reports, the number of weaknesses identified represented a 60 percent increase over our FY 2010 review."
  • * Research Study - All Your Clouds are Be­long to us – Se­cu­ri­ty Ana­ly­sis of Cloud Ma­nage­ment In­ter­faces

    All Your Clouds are Be­long to us – Se­cu­ri­ty Ana­ly­sis of Cloud Ma­nage­ment In­ter­faces - Juraj So­mo­rovs­ky, Mario Hei­de­rich, Meiko Jen­sen, Jörg Schwenk, Nils Grusch­ka, Luigi Lo Ia­co­no. In Pro­cee­dings of the ACM Cloud Com­pu­ting Se­cu­ri­ty Work­shop (CCSW), 2011.

  • "Cloud Com­pu­ting re­sour­ces are hand­led through con­trol in­ter­faces. It is through these in­ter­faces that the new ma­chi­ne ima­ges can be added, exis­ting ones can be mo­di­fied, and in­stan­ces can be star­ted or cea­sed. Ef­fec­tive­ly, a suc­cess­ful at­tack on a Cloud con­trol in­ter­face grants the at­ta­cker a com­ple­te power over the victim’s ac­count, with all the stored data in­clu­ded. In this paper, we pro­vi­de a se­cu­ri­ty ana­ly­sis per­tai­ning to the con­trol in­ter­faces of a large Pu­blic Cloud (Ama­zon) and a wi­de­ly used Pri­va­te Cloud soft­ware (Eu­ca­lyp­tus). Our re­se­arch re­sults are alar­ming: in re­gards to the Ama­zon EC2 and S3 ser­vices, the con­trol in­ter­faces could be com­pro­mi­sed via the novel si­gna­tu­re wrap­ping and ad­van­ced XSS tech­ni­ques. Si­mi­lar­ly, the Eu­ca­lyp­tus con­trol in­ter­faces were vul­nerable to clas­si­cal si­gna­tu­re wrap­ping at­tacks, and had ne­ar­ly no pro­tec­tion against XSS. As a fol­low up to those dis­co­ve­ries, we ad­di­tio­nal­ly de­scri­be the coun­ter­me­a­su­res against these at­tacks, as well as in­tro­du­ce a novel ”black box” ana­ly­sis me­tho­do­lo­gy for pu­blic Cloud in­ter­faces."
  • October 16, 2011
    * SEC: views regarding disclosure obligations relating to cybersecurity risks and cyber incidents

    This guidance provides the Division of Corporation Finance's views regarding disclosure obligations relating to cybersecurity risks and cyber incidents, October 13, 2011

  • "For a number of years, registrants have migrated toward increasing dependence on digital technologies to conduct their operations. As this dependence has increased, the risks to registrants associated with cybersecurity1 have also increased, resulting in more frequent and severe cyber incidents. Recently, there has been increased focus by registrants and members of the legal and accounting professions on how these risks and their related impact on the operations of a registrant should be described within the framework of the disclosure obligations imposed by the federal securities laws. As a result, we determined that it would be beneficial to provide guidance that assists registrants in assessing what, if any, disclosures should be provided about cybersecurity matters in light of each registrant’s specific facts and circumstances."
  • October 08, 2011
    * Executive Order -- Structural Reforms to Improve the Security of Classified Networks

    Executive Order -- Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, October 07, 2011

  • "This order directs structural reforms to ensure responsible sharing and safeguarding of classified information on computer networks that shall be consistent with appropriate protections for privacy and civil liberties. Agencies bear the primary responsibility for meeting these twin goals. These structural reforms will ensure coordinated interagency development and reliable implementation of policies and minimum standards regarding information security, personnel security, and systems security; address both internal and external security threats and vulnerabilities; and provide policies and minimum standards for sharing classified information both within and outside the Federal Government. These policies and minimum standards will address all agencies that operate or access classified computer networks, all users of classified computer networks (including contractors and others who operate or access classified computer networks controlled by the Federal Government), and all classified information on those networks."
  • See also related postings on WikiLeaks
  • October 07, 2011
    * Wired Reports Keylogger Computer Virus Has Infected U.S. Drone Fleet

    Danger Room: "A computer virus has infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions over Afghanistan and other warzones. The virus, first detected nearly two weeks ago by the military’s Host-Based Security System, has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech’s computers, network security specialists say. And the infection underscores the ongoing security risks in what has become the U.S. military’s most important weapons system."

    October 03, 2011
    * New GAO Report: Info Security Weaknesses Continue Amid New Federal Efforts to Implement Requirements

  • Information Security - Weaknesses Continue Amid New Federal Efforts to Implement Requirements, GAO-12-137, October 3, 2011
  • "Weaknesses in information security policies and practices at 24 major federal agencies continue to place the confidentiality, integrity, and availability of sensitive information and information systems at risk. Consistent with this risk, reports of security incidents from federal agencies are on the rise, increasing over 650 percent over the past 5 years. Each of the 24 agencies reviewed had weaknesses in information security controls. An underlying reason for these weaknesses is that agencies have not fully implemented their information security programs. As a result, they have limited assurance that controls are in place and operating as intended to protect their information resources, thereby leaving them vulnerable to attack or compromise. In reports for fiscal years 2010 and 2011, GAO and agency inspectors general have made hundreds of recommendations to agencies for actions necessary to resolve control deficiencies and information security program shortfalls. Agencies generally agreed with most of GAO's recommendations and indicated that they would implement them. OMB, agencies, and the National Institute of Standards and Technology took actions intended to improve the implementation of security requirements, but more work is necessary. Beginning in fiscal year 2009, OMB provided agencies with a new online tool to report their information security postures and, in fiscal year 2010, instituted the use of new and revised metrics. Nevertheless, OMB's guidance for those metrics did not always provide performance targets for measuring improvement. In addition, weaknesses were identified in the processes agencies used to implement requirements."
  • September 30, 2011
    * Verizon’s 2011 Payment Card Industry Compliance Report

    2011 Payment Card Industry Compliance Report - A Study Conducted By The Verizon PCI And RISK Intelligence Teams

  • "This report analyzes findings from actual Payment Card Industry (PCI) Data Security Standard (DSS) assessments conducted by Verizon’s team of Qualified Security Assessors (QSAs). The report describes where these organizations stand in terms of overall compliance with the DSS and presents analysis around which specific requirements are most and least often in place during the assessment process. Furthermore, we overlay this assessment centric data with findings from Verizon’s Investigative Response services to provide a unique risk-centric perspective on the compliance process. In a section new to this year’s edition, significance tests are conducted to examine the relationship (or lack thereof) between various organizational practices and initial compliance scores."
  • September 22, 2011
    * Check Point Survey Reveals Nearly Half of Enterprises Are Victims of Social Engineering

    News release: "Check Point® Software Technologies Ltd. announced the results of a new report revealing 48 percent of enterprises surveyed have been victims of social engineering, experiencing 25 or more attacks in the past two years, costing businesses anywhere from $25,000 to over $100,000 per security incident. The report, The Risk of Social Engineering on Information Security, shows phishing and social networking tools as the most common sources of socially-engineering threats – encouraging businesses to implement a strong combination of technology and user awareness to minimize the frequency and cost of attacks. Socially-engineered attacks traditionally target people with an implied knowledge or access to sensitive information. Hackers today leverage a variety of techniques and social networking applications to gather personal and professional information about an individual in order to find the weakest link in the organization. According to the global survey of over 850 IT and security professionals, 86 percent of businesses recognize social engineering as a growing concern, with the majority of respondents (51%) citing financial gain as the primary motivation of attacks, followed by competitive advantage and revenge."

    * FINCEN: Identity Theft Trends, Patterns, and Typologies Based on Suspicious Activity Reports

    Identity Theft - Trends, Patterns, and Typologies Based on Suspicious Activity Reports. Filed by the Securities and Futures Industries January 1, 2005 – December 31, 2010. Report released September 2011.

  • "This report focuses on identity theft in the securities and futures industries. Based on Suspicious Activity Report by the Securities and Futures Industries (SAR-SF) filings, it describes recent patterns and trends of SAR-SF reporting and identifies methods by which identity thieves may access and abuse investment, retirement, and trust accounts to defraud individual account holders and/or securities firms. FinCEN added identity theft as a characterization of suspicious activity on the SAR-SF form in May 2004 following an increase in the reporting of this type of activity. This study is based on SAR-SF filings made between 2005 and 2010. It complements an October 2010 FinCEN report that described, in part, ways that identity thieves reportedly defraud individuals and depository institutions by gaining unauthorized access to credit cards, loans, and depository accounts...The number of SAR-SFs reporting identity theft grew by 89 percent from 2005 to 2010, and nearly 13 percent of all SAR-SF filings over the 6-year period in part characterized the reported activity as identity theft."
  • August 30, 2011
    * Research Center on the Prevention of Financial Fraud

    News release: "Stanford University’s Center on Longevity and the FINRA Investor Education Foundation have joined together to launch the Research Center on the Prevention of Financial Fraud, an interdisciplinary resource for law enforcement, government and research groups studying financial fraud. Financial fraud, ranging from Ponzi schemes to online phishing scams and work from home schemes, swindles Americans out of billions of dollars each year. While emerging technologies continue to fuel the expansion and reach of financial fraud, this joint initiative will support and consolidate scientific research and connect this research to practical prevention and detection efforts."

    August 25, 2011
    * Symantec Intelligence Report - August 2011

    "Symantec Corp. announced the results of the August 2011 Symantec Intelligence Report, now combining the best research and analysis from the Symantec.cloud MessageLabs Intelligence Report and the Symantec State of Spam & Phishing Report. This month’s analysis reveals that once more spammers are seeking to benefit from fluctuations in the turbulent financial markets, most notably by sending large volumes of spam relating to certain “pink sheets” stocks in an attempt to “pump” the value of these stocks before “dumping” them at a profit. In a pump-and-dump stock scam, spammers promote certain stocks in order to inflate the price as much as possible so that they may then be sold before their valuation crashes back to reality. The spam for these scams tries to convince the prospective mark that the penny stock is actually worth more than its valuation, or that it will soon skyrocket. Most of these claims are either misleading or false. A successful pump-and-dump spam campaign will artificially drive up the price of the stock to a point where the scammers decide to sell their shares. This usually coincides with them ending the spam campaign, which in turn reduces the interest in the stock, helping to drive its valuation back to the original low price."

    August 22, 2011
    * Improvements in Patch and Configuration Management Controls Can Better Protect TSA’s Wireless Network and Devices

    Department of Homeland Security Office of Inspector General, Improvements in Patch and Configuration Management Controls Can Better Protect TSA’s Wireless Network and Devices (Redacted) OIG-11-99 July 2011

  • "Overall, TSA has implemented effective physical and logical security controls to protect its wireless network and devices. We did not detect any high-risk vulnerabilities on its wireless network infrastructure or rogue or unauthorized wireless networks or devices attributed to TSA or the Federal Air Marshal Service. Although we identified signal leakage from TSA’s wireless network, we determined that this was not a security risk because of the mitigating controls implemented. However, we identified high-risk vulnerabilities involving patch and configuration controls. Improvements are needed to enhance the security of wireless components to fully comply with the department’s information security policies and better protect TSA’s and Federal Air Marshal Service’s wireless infrastructure against potential risks, threats, and exploits."
  • August 18, 2011
    * Trends in Circumventing Web-Malware Detection

    Trends in Circumventing Web-Malware Detection. Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig Schmidt. Google Technical Report rajab-2011a, July 2011

  • "Malicious web sites that compromise vulnerable computers are an
    ever-present threat on the web. The purveyors of these sites are
    highly motivated and quickly adapt to technologies that try to protect users from their sites. This paper studies the resulting arms race between detection and evasion from the point of view of Google’s Safe Browsing infrastructure, an operational web-malware detection system that serves hundreds of millions of users. We analyze data collected over a four year period and study the most popular practices that challenge four of the most prevalent web-malware detection systems: Virtual Machine client honeypots, Browser Emulator client honeypots, Classification based on domain reputation, and Anti-Virus engines. Our results show that none of these systems are effective in isolation. In addition to describing specific methods that malicious web sites employ to evade detection, we study trends over time to measure the prevalence of evasion at scale. Our results indicate that exploit delivery mechanisms are becoming increasingly complex and evasive."
  • August 16, 2011
    * McAfee White Paper on Global Cyberattacks

    Revealed: Operation Shady RAT by Dmitri Alperovitch, Vice President, Threat Research, McAfee: "An investigation of targeted intrusions into more than 70 global companies, governments, and non-profit organizations during the last five years."

  • "...the targeted compromises we are focused on — known as advanced persistent threats (APTs) — are much more insidious and occur largely without public disclosures. They present a far greater threat to companies and governments, as the adversary is tenaciously persistent in achieving their objectives. The key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the immediate financial gratification that drives much of cybercrime, another serious but more manageable threat. What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth — closely guarded national secrets (including those from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, supervisory control and data acquisition (SCADA) configurations, design schematics, and much more has “fallen off the truck” of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries."
  • August 12, 2011
    * Writing and Maintaining Secure Online Passwords

    Haystack Logo...and how well hidden is YOUR needle?

  • "Every password you use can be thought of as a needle hiding in a haystack. After all searches of common passwords and dictionaries have failed, an attacker must resort to a “brute force” search – ultimately trying every possible combination of letters, numbers and then symbols until the combination you chose, is discovered.
    If every possible password is tried, sooner or later yours will be found. The question is: Will that be too soon...or enough later? This interactive brute force search space calculator allows you to experiment with password length and composition to develop an accurate and quantified sense for the safety of using passwords that can only be found through exhaustive search. Please see the discussion below for additional information."
  • August 10, 2011
    * Data-Enabled Government: How Well Is Our Personal Information Used and Protected?

    Data-Enabled Government: How Well Is Our Personal Information Used and Protected? - HP Business White Paper

  • "This is a summary of a longer report written in co-operation with the Economist Intelligence Unit. It examines the key issues surrounding the use and protection of personal data and draws on in-depth interviews with experts working on the front lines of public sector data management in the UK, Germany, France and Sweden, as well as academics and other authorities...Governments are continually expanding the breadth and depth of data they hold about their citizens, from the provision of public health and welfare services, to law enforcement and public security. In the pursuit of greater efficiency and improved public services, many are digitising operations and sharing information. However, the issues surrounding how to both deliver better service and safeguard private citizen data are becoming increasingly complex."
  • * Mobile App Security Study: appWatchdog Findings

    "Data (in)security is rapidly gaining consumer attention in major media. In 2011 major breaches at Sony, Epsilon and others have highlighted the risk consumers face from their data being compromised. Major corporations are now recognizing the urgency to implement strong and innovative security measures to ensure the security of their customers’ data. At the same time, both Apple and Google have seen stunning growth in the past few years and now dominate the smartphone market. Companies and app developers have leveraged these platforms to provide new mobile services, often bringing them to market very quickly. But what steps have the smartphone OS providers and app developers taken to secure the data on their customers’ smartphones? At viaForensics we believe in proactive forensics – applying the power of forensic methods proactively to improve digital security. With appWatchdog we utilize forensic techniques to investigate consumer mobile apps and understand what user data is stored and could be at risk. This white paper summarizes our findings for the first 100 tests, from November 2010 through June 2011."

    August 08, 2011
    * New FFIEC Guidelines: Full Text Unabridged Supplement Focuses on Risk Assessments, Customer Awareness

    Supplement to Authentication in an Internet Banking Environment

  • "The purpose of this Supplement to the 2005 Guidance [Supplement] is to reinforce the Guidance's risk management framework and update the Agencies' expectations regarding customer authentication, layered security, or other controls in the increasingly hostile online environment. The Supplement reiterates and reinforces the expectations described in the 2005 Guidance that financial institutions should perform periodic risk assessments considering new and evolving threats to online accounts and adjust their customer authentication, layered security, and other controls as appropriate in response to identified risks. It establishes minimum control expectations for certain online banking activities and identifies controls that are less effective in the current environment. It also identifies certain specific minimum elements that should be part of an institution's customer awareness and education program."
  • * CRS - Critical Infrastructures: Background, Policy, and Implementation

    Critical Infrastructures: Background, Policy, and Implementation -
    John D. Moteff, Specialist in Science and Technology Policy, July 11, 2011: "This report discusses in more detail the evolution of a national critical infrastructure policy and the institutional structures established to implement it. The report highlights five issues of Congressional concern: identifying critical assets; assessing vulnerabilities and risks; allocating resources; information sharing; and regulation."

    August 05, 2011
    * Firefox Extension Defends Against Search Hijacking Schemes and Improves Web Security

    News release: "The Electronic Frontier Foundation (EFF), in collaboration with the Tor Project, has launched an official 1.0 version of HTTPS Everywhere, a tool for the Firefox web browser that helps secure web browsing by encrypting connections to more than 1,000 websites. HTTPS Everywhere was first released as a beta test version in June of 2010. Today's 1.0 version includes support for hundreds of additional websites, using carefully crafted rules to switch from HTTP to HTTPS. HTTPS protects against numerous Internet security and privacy problems, including the search hijacking on U.S. networks that was revealed by an article published today in New Scientist magazine. The article, entitled US internet providers hijacking users' search queries, documents how a company called Paxfire has been intercepting and altering search traffic on a number of ISPs' networks. HTTPS can prevent such attacks."

    August 03, 2011
    * McAfee Releases Online Banking Safety Guide for the 47 Percent of Consumers Who Are Underprotected

    News release: "Acting on recent data that reveals many consumers still aren’t protected by even basic antivirus software when banking online, McAfee today released an educational guide for banking safely on computers, tablets or mobile devices. According to Javelin Strategy & Research, in 2010 47 percent of household financial managers did not have antivirus software installed. Combining McAfee intelligence with the latest U.S. banking data from many top sources revealed that most consumers fall into one of three categories of online banking behavior, and that age tends to play a strong role in safety and security habits online. Most people’s level of confidence with banking online is associated with their overall comfort level online, including participating in such activities as shopping, searching, and social networking."

  • Complete details on each of the online banking personality types and accompanying graphics
  • Find out what phishing is, how to spot fake emails, and how to avoid it all together
  • July 26, 2011
    * New GAO Reports: Burma, Combating Nuclear Smuggling, Cybersecurity, Federal Workers' Compensation, Value-Added Taxes
    • Burma - UN and U.S. Agencies Assisted Cyclone Victims in Difficult Environment, but Improved U.S. Monitoring Needed, GAO-11-700, July 26, 2011
    • Combating Nuclear Smuggling - DHS has Developed a Strategic Plan for its Global Nuclear Detection Architecture, but Gaps Remain, GAO-11-869T, July 26, 2011
    • Cybersecurity - Continued Attention Needed to Protect Our Nation's Critical Infrastructure, GAO-11-865T, July 26, 2011
    • Defense Management - Actions Needed to Improve Management of Air Force's Food Transformation Initiative, GAO-11-676, July 26, 2011
    • Federal Workers' Compensation - Questions to Consider in Changing Benefits for Older Beneficiaries, GAO-11-854T, July 26, 2011
    • Mutual Fund Advertising - Improving How Regulators Communicate New Rule Interpretations to Industry Would Further Protect Investors, GAO-11-697, July 26, 2011
    • Value-Added Taxes - Potential Lessons for the United States from Other Countries' Experiences - GAO-11-867T, July 26, 2011
    July 24, 2011
    * Looks Too Good To Be True.com webstie

    "While the Internet can be a safe and convenient place to do business, scammers are out there in "cyber world" targeting unsuspecting consumers. The Looks Too Good To Be True.com website was built to educate you, the consumer, and help prevent you from becoming a victim of an Internet fraud scheme. The website was developed and is maintained by a joint federal law enforcement and industry task force. Funding for the site has been provided by the United States Postal Inspection Service and the Federal Bureau of Investigation. Key partners include the National White Collar Crime Center, Monster.com, Target and members of the Merchants Risk Council."

    July 14, 2011
    * Department of Defense Strategy for Operating in Cyberspace

    Department of Defense Strategy for Operating in Cyberspace, July 2011

  • "...the Department of Defense (DoD) depends on cyberspace to function. It is difficult to overstate this reliance; DoD operates over 15,000 networks and seven million computing devices across hundreds of installations in dozens of countries around the globe. DoD uses cyberspace to enable its military, intelligence, and business operations, including the movement of personnel and material and the command and control of the full spectrum of military operations. The Department and the nation have vulnerabilities in cyberspace. Our reliance on cyberspace stands in stark contrast to the inadequacy of our cybersecurity – the security of the technologies that we use each day. Moreover, the continuing growth of networked systems, devices, and platforms means that cyberspace is embedded into an increasing number of capabilities upon which DoD relies to complete its mission. Today, many foreign nations are working to exploit DoD unclassified and classified networks, and some foreign intelligence organizations have already acquired the capacity to disrupt elements of DoD’s information infrastructure. Moreover, non-state actors increasingly threaten to penetrate and disrupt DoD networks and systems. We recognize that there may be malicious activities on DoD networks and systems that we have not yet detected."
  • July 05, 2011
    * FFIEC - Supplement to Authentication in an Internet Banking Environment

    "The purpose of this [June 22, 2011] Supplement to the 2005 Guidance (Supplement) is to reinforce the Guidance’s risk management framework and update the Agencies’ expectations regarding customer authentication, layered security, or other controls in the increasingly hostile online environment. The Supplement reiterates and reinforces the expectations described in the 2005 Guidance that financial institutions should perform periodic risk assessments considering new and evolving threats to online accounts and adjust their customer authentication, layered security, and other controls as appropriate in response to identified risks. It establishes minimum control expectations for certain online banking activities and identifies controls that are less effective in the current environment. It also identifies certain specific minimum elements that should be part of an institution’s customer awareness and education program."

    July 04, 2011
    * Defense Federal Acquisition Regulation Supplement; Safeguarding Unclassified DoD Information

    Federal Register Volume 76, Number 125 (Wednesday, June 29, 2011)]

  • "The purpose of this proposed DFARS rule is to implement adequate security measures to safeguard unclassified DoD information within contractor information systems from unauthorized access and disclosure, and to prescribe reporting to DoD with regard to certain cyberintrusion events that affect DoD information resident on or transiting through contractor unclassified information systems. This rule addresses the safeguarding requirements specified in Executive Order 13556, Controlled Unclassified Information. On-going efforts, currently being led by the National Archives and Records Administration regarding controlled unclassified information, may also require future DFARS revisions in this area. This case does not address procedures for Government sharing of cyber security threat information with industry; this issue will be addressed separately through follow-on rulemaking procedures as appropriate."
  • June 18, 2011
    * Cybersecurity, Innovation and the Internet Economy Cybersecurity, Innovation and the Internet Economy, Department of Commerce Internet Policy Task Force, June 2011
  • "The Internet allows users to gather, store, process, and transfer vast amounts of data, including proprietary and sensitive business, transactional, and personal data. At the same time that businesses and consumers rely more and more on such capabilities, cybersecurity threats continue to plague the Internet economy. Cybersecurity threats evolve as rapidly as the Internet expands, and the associated risks are becoming increasingly global. Staying protected against cybersecurity threats requires all users, even the most sophisticated ones, to be aware of the threats and improve their security practices on an ongoing basis. Creating incentives to motivate all parties in the Internet economy to make appropriate security investments requires technical and public policy measures that are carefully balanced to heighten cybersecurity without creating barriers to innovation, economic growth, and the free flow of information."
  • June 15, 2011
    * Congress Should Enact Data Security and Breach Notification Law, FTC Says

    News release: "The Federal Trade Commission told Congress today during a hearing that to minimize the risk of identity theft or other harm, companies should employ reasonable safeguards to protect consumer information, collect only information for which they have a legitimate business need, and retain data only as long as necessary to fulfill the business purposes for which it was collected. The FTC also reiterated its recommendation that Congress pass legislation that would require companies to implement reasonable security practices and to notify consumers when there is a data security breach...The Commission expressed its support for federal legislation that would require companies to put reasonable data security policies and procedures in place, and to notify consumers when there has been a data security breach that affects them. The testimony notes that the Committee’s “Discussion Draft” of data security legislation accomplishes these key goals. The testimony highlights several other elements of the Discussion Draft, which gives the Commission authority to use the standard APA notice and comment procedures for rulemaking in connection with the legislation, provides for civil penalties for violations, and requires non-profit entities to adhere to the same data security and breach notification standards as for-profit entities."

    June 14, 2011
    * White House Releases A Policy Framework for the 21st Century Grid

    A Policy Framework for the 21st Century Grid: Enabling Our Secure Energy Future, June 2011

  • "This report outlines policy recommendations that build upon the Energy Independence and Security Act of 2007 and the Obama Administration's smart grid investments to foster long-term investment, job growth, innovation, and help consumers save money. The report was prepared by the Subcommittee on Smart Grid of the National Science and Technology Council, Committee on Technology. A 21st century electric system is essential to America's ability to lead the world and create jobs in the clean-energy economy of the future. The Administration has made unprecedented investments in clean-energy technologies and grid modernization. For example, as part of the Recovery Act, the Nation invested more than $4.5 billion for electricity delivery and energy reliability modernization. This report highlights further efforts that are needed to take advantage of opportunities made possible by modern information, energy, and communications technology. It also provides a policy framework that promotes cost-effective investment, fosters innovation to spur the development of new products and services, empowers consumers to make informed decisions with better energy information, and secures the grid against cyber attacks. Facilitating a smarter and more secure grid will require sustained cooperation among the private sector, state and local governments, the Federal Government, consumer groups, and other stakeholders. Such progress is important to ensure that the United States is a world leader in the 21st century economy, is at the forefront of the clean energy revolution, and wins the future by encouraging innovation."
  • June 08, 2011
    * Commerce Department Proposes New Policy Framework to Strengthen Cybersecurity Protections for Businesses Online

    News release: "The U.S. Department of Commerce today released a report that proposes voluntary codes of conduct to strengthen the cybersecurity of companies that increasingly rely on the Internet to do business, but are not part of the critical infrastructure sector. The report, Cybersecurity, Innovation and the Internet Economy, focuses on the “Internet and Information Innovation Sector” (I3S) – these are businesses that range from small and medium enterprises and bricks-and-mortar firms with online services, to social networking sites and Internet-only business, to cloud computing firms that are increasingly subject to cyber attacks."

    * UK: Review of the Money Laundering Regulations 2007: June 2011 the Government response

    HM Treasury Review of the Money Laundering Regulations 2007: the Government response, June 2011

  • "The Government’s approach is to ensure the UK financial system is a hostile environment for money laundering and terrorist finance while minimising the burden on legitimate businesses. In so doing and in order to prevent the UK being put at an economic disadvantage, the UK Government remains committed to the effective implementation of global standards (those agreed by the 36 Member States of the Financial Action Task Force) and the EU 3rd Money Laundering Directive (EU Directive). The implementation of these requirements by the UK is underpinned by the principles of effectiveness, proportionality and engagement; and is driven by a commitment to the risk-based approach provided for in the Regulations. This gives businesses flexibility in their implementation of the Regulations and it helps to avoid the ‘tick-box’ application of the regulations under which emphasis is placed on formally discharging requirements rather than the substance of effective AML practice. It should help to minimise costs on business and to ensure the Regulations are effective and proportionately implemented on a case-by-case basis, by reflecting the considered judgement of individual businesses of the risks they face."
  • June 05, 2011
    * Survey Finds Nearly Half of 6- to 9-Year-Olds Talk to Friends Online and Use Social Networks

    News release: "AVG Technologies, Inc. announced it will make its leading Family Safety software available for free in exchange for a 99 cent donation to the American Red Cross family relief efforts in Joplin, Mo. The move comes in response to research the company conducted and has released over the course of the year on early childhood technology usage trends, “Digital Diaries" and is complemented with the release of a first-of-its-kind e-book and mobile application for teaching very young children the basics of online safety, Little Bird’s Internet Security Adventure.” AVG CEO JR Smith is making appearances across the country today urging parents to consider introducing their child to Little Bird to help them learn about online safety....Roughly half of today’s children (ages 6-9) are regularly talking to their friends online and using social networks, yet 58 percent of their parents admit they are not well-informed about their children’s online social networks. The “Digital Playground,” the third stage of AVG’s year-long “Digital Diaries” research program, further reveals the increasingly digitally-literate group of 6- to 9-year-olds and their parents in North America, Europe, Australia and New Zealand to find that:

    • More than half (51 percent) of 6- to 9-year-olds use some kind of children’s social network such as Club Penguin or WebKinz.
    • Roughly one in five use email, and despite being underage, 14 percent are on Facebook, according to their parents.
    • 47 percent of 6- to 9-year-olds talk to their friends on the Internet.
    • Almost one in six 6- to 9-year-olds and one in five 8- to 9-year-olds have experienced what their parents consider objectionable or aggressive behavior online.
    • American children average four hours online each week, slightly more than the worldwide average of 3.5 hours per week.
    • 58 percent of parents admit they are neither well-informed nor understand their children’s online social networks.
    • Only 56 percent of parents were certain their family computer has parental controls or safety programs in place."

    June 01, 2011
    * Google Issues Advisory - Ensuring your information is safe online

    Official Google Blog: "...Through the strength of our cloud-based security and abuse detection systems, we recently uncovered a campaign to collect user passwords, likely through phishing. This campaign, which appears to originate from Jinan, China, affected what seem to be the personal Gmail accounts of hundreds of users including, among others, senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists. The goal of this effort seems to have been to monitor the contents of these users’ emails, with the perpetrators apparently using stolen passwords to change peoples’ forwarding and delegation settings. (Gmail enables you to forward your emails automatically, as well as grant others access to your account.) Google detected and has disrupted this campaign to take users’ passwords and monitor their emails. We have notified victims and secured their accounts. In addition, we have notified relevant government authorities."

    May 31, 2011
    * WSJ - Pentagon Considers Cyberattacks as Acts of War

    WSJ: "The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force. The Pentagon's first formal cyber strategy, unclassified portions of which are expected to become public next month, represents an early attempt to grapple with a changing world in which a hacker could pose as significant a threat to U.S. nuclear reactors, subways or pipelines as a hostile country's military. In part, the Pentagon intends its plan as a warning to potential adversaries of the consequences of attacking the U.S. in this way. "If you shut down our power grid, maybe we will put a missile down one of your smokestacks," said a military official. Recent attacks on the Pentagon's own systems—as well as the sabotaging of Iran's nuclear program via the Stuxnet computer worm—have given new urgency to U.S. efforts to develop a more formalized approach to cyber attacks. A key moment occurred in 2008, when at least one U.S. military computer system was penetrated. This weekend Lockheed Martin, a major military contractor, acknowledged that it had been the victim of an infiltration, while playing down its impact."

    May 30, 2011
    * G8 Declaration - Renewed Commitment For Freedom and Democracy

    G8 Summit of Deauville - May 26-27, 2011: "We discussed new issues such as the Internet which are essential to our societies, economies and growth. For citizens, the Internet is a unique information and education tool, and thus helps to promote freedom, democracy and human rights. The Internet facilitates new forms of business and promotes efficiency, competitiveness, and economic growth. Governments, the private sector, users, and other stakeholders all have a role to play in creating an environment in which the Internet can flourish in a balanced manner. In Deauville in 2011, for the first time at Leaders' level, we agreed, in the presence of some leaders of the Internet economy, on a number of key principles, including freedom, respect for privacy and intellectual property, multi-stakeholder governance, cyber-security, and protection from crime, that underpin a strong and flourishing Internet. The "e-G8" event held in Paris on 24 and 25 May was a useful contribution to these debates."

    May 16, 2011
    * White House: Launching the U.S. International Strategy for Cyberspace

    "White House officials released an international cyberstrategy here today that will help to build a “coalition of nations [with a] mutual interest in securing cyberspace,” Deputy Defense Secretary William J. Lynn III said...To realize fully the benefits that networked technology promises the world, these systems must function reliably and securely. People must have confidence that data will travel to its destination without disruption. Assuring the free flow of information, the security and privacy of data, and the integrity of the interconnected networks themselves are all essential to American and global economic prosperity, security, and the promotion of universal rights. Almost a third of the world’s population uses the Internet and countless more are touched by it in their daily lives. There are more than four billion digital wireless devices in the world today. Scarcely a halfcentury ago, that number was zero. We live in a rare historical moment with an opportunity to build on cyberspace’s successes and help secure its future for U.S. citizens and the global community. For these technologies to continue to empower individuals, enrich societies, and foster the research, development, and innovation essential to building modern economies, it must retain the openness and interoperability that have characterized its explosive growth. Underlying these are technical principles and effective governance structures that demand our support. At the same time, our networks must be secure and reliable; they must retain the trust of individuals, businesses and governments, and should be resilient to arbitrary or malicious disruption."

  • You can read the full strategy (pdf) and a fact sheet on the strategy (pdf).
  • May 12, 2011
    * Obama Administration Unveils its Cybersecurity Legislative Proposal

    "...the Administration has transmitted a cybersecurity legislative proposal to Capitol Hill in response to Congress’ call for assistance on how best to address the cybersecurity needs of our Nation. This is a milestone in our national effort to ensure secure and reliable networks for Americans, businesses, and government; fundamentally, this proposal strikes a critical balance between maintaining the government’s role and providing industry with the capacity to innovatively tackle threats to national cybersecurity. Just as importantly, it does so while providing a robust framework to protect civil liberties and privacy."

    May 04, 2011
    * Hearing on The Threat of Data Theft to American Consumers

    Via CDT - The Threat of Data Theft to American Consumers: "Two high profile data (Sony's Playstation and Epsilon) breaches have grabbed headlines lately because of their recency, data breach is a major longstanding problem for consumers, businesses and government. According to Privacy Rights Clearinghouse, a staggering 600 million records have been breached due to the roughly 2,460 data breaches made public since 2005.5 According to a 2010 Ponemon benchmark study, the cost of data breaches to businesses – in terms of preventing, detecting, and notifying individuals of breach, as well as legal defense and lost business opportunities – have risen considerably over the past several years. Consumers whose personal information is lost or stolen in data breaches face increased risks of identity theft, spam and phishing attacks, reduced trust toward services on which they depend, and sometimes humiliating loss of privacy over sensitive medical conditions."

    * $15bn of preventable software costs found in organizations in the United States and United Kingdom

    News release: 1E, the global leader in IT efficiency software today announced the results of an independent study of IT professionals in the United States and United Kingdom into software efficiency. The study, commissioned in association with the International Association of Information Technology Asset Managers (IAITAM) and the Federation Against Software Theft Investors in Software (FASTIiS) conducted by Opinion Matters, revealed that software waste is endemic in organizations today, preventing cost efficiencies and unnecessarily draining IT budgets....The results of the software efficiency study were broadly similar in both territories. The study found that just 8 percent of UK organizations and 9 percent of US organizations systematically reclaim unused software licenses to save money. Respondents cited concerns about user reaction, business risk and lack of tools as reasons against action; however, the report found a clear financial imperative for every organization to do so:

    • Almost three quarters of organizations (UK=68; US=71 percent) admit to having software waste
    • An overwhelming majority (UK=92; US=83 percent) have undeployed software licenses, more commonly known as shelfware
    • Four fifths (UK=80; US=84 percent) agree that there is more than $100 worth of installed but unused software per PC
      Furthermore, the study found that:
    • On average, at least 10 percent of all software purchased is destined to become shelfware – at a cost of between $145-155 per user per year for each organization
    • The majority of respondents (UK=85; US=72 percent) feel that software asset management is too complex and over two thirds in both the UK and US (66 percent) find preparing for vendor audits challenging
    • Half (UK=50; US=52 percent) of enterprises still use spreadsheets to record software licenses
    • Approximately one in ten (UK=9; US=12 percent) still use paper-based filing systems, while some (UK=14 percent; US=12 percent) staggeringly even admitted to not having a process in place at all."

    May 01, 2011
    * DOJ OIG: FBI's Ability to Address the National Security Cyber Intrusion Threat

    DOJ OIG: The Federal Bureau of Investigation's Ability to Address the National Security Cyber Intrusion Threat (Redacted Version), Audit Report 11-22, April 2011

  • "...Despite these efforts, the National Cyber Investigative Joint Task Force (NCIJTF) needs to continue to improve its capabilities to combat cyber attacks."
  • * Paper: Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy

    Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy, Jerry Brito & Tate Watkins, Mercatus Center at George Mason University, Apr 26, 2011.

  • "Over the past two years there has been a steady drumbeat of alarmist rhetoric coming out of Washington about potential catastrophic cyber threats. For example, at a Senate Armed Services Committee hearing last year, Chairman Carl Levin said that “cyberweapons and cyberattacks potentially can be devastating, approaching weapons of mass destruction in their effects.” Proposed responses include increased federal spending on cybersecurity and the regulation of private network security practices. The rhetoric of “cyber doom” employed by proponents of increased federal intervention, however, lacks clear evidence of a serious threat that can be verified by the public. As a result, the United States may be witnessing a bout of threat inflation similar to that seen in the run-up to the Iraq War. Additionally, a cyber-industrial complex is emerging, much like the military-industrial complex of the Cold War. This complex may serve to not only supply cybersecurity solutions to the federal government, but to drum up demand for them as well. Part I of this article, draws a parallel between today’s cybersecurity debate and the run-up to the Iraq War and looks at how an inflated public conception of the threat we face may lead to unnecessary regulation of the Internet. Part II draws a parallel between the emerging cybersecurity establishment and the military-industrial complex of the Cold War and looks at how unwarranted external influence can lead to unnecessary federal spending. Finally, Part III surveys several federal cybersecurity proposals and presents a framework for analyzing the cybersecurity threat."
  • * Investigation: Potentially 10 Million Credit Cards Exposed in Sony PlayStation Security Breach

    EPIC: "Senator Richard Blumenthal (D-CT) wrote to Attorney General Eric Holder asking that the Department of Justice open an investigation into the Sony PlayStation security breach. Sony recently informed PlayStation Network customers that an "unauthorized user" had obtained the personal and financial information of 70 million gamers, including minors. Blumenthal wrote that whomever hacked into the PlayStation Network violated the Computer Fraud and Abuse Act. He also expressed concern about Sony's week-long delay in notifying users about the breach. In 2009, EPIC testified before Congress about the need to strengthen data breach notification laws, noting "in the absence of security obligations and breach notification requirements, it is too easy for firms to continue bad practices." For more information, see EPIC: Identity Theft.

  • The Economist: Serious glitches at Sony and Amazon have revived worries about the risks of handling data online
  • April 24, 2011
    * 'HTTPS Now' Campaign Urges Users to Take an Active Role in Protecting Internet Security

    News release: "The Electronic Frontier Foundation (EFF) and Access have launched an international campaign for HTTPS Now, rallying consumers around the world to help us make web surfing safer. HTTPS (Hypertext Transfer Protocol Secure) protects web surfing by encrypting requests from a user's browser and the resulting pages that are displayed, but many websites default to using the unencrypted and vulnerable HTTP protocol. The HTTPS Now campaign takes a three-pronged approach to protecting web surfing, including distributing updated tools for people to use to protect their web browsing, taking an Internet-wide survey of the state of HTTPS deployment, and helping website operators implement HTTPS. As a first step, individuals using the web are encouraged to install HTTPS Everywhere, a security tool for the Firefox browser developed by EFF and the Tor Project. HTTPS Everywhere automatically encrypts a user's browsing, changing it from HTTP to HTTPS whenever possible."

    April 23, 2011
    * Tracking Citizen Whereabouts Using SmartPhone Logs

    Declan McCullagh,Chief political correspondent, CNET: How police have obtained iPhone, iPad tracking logs

  • "Law enforcement agencies have known since at least last year that an iPhone or iPad surreptitiously records its owner's approximate location, and have used that geolocation data to aid criminal investigations. Apple has never publicized the undocumented feature buried deep within the software that operates iPhones and iPads, which became the topic of criticism this week after a researcher at a conference in Santa Clara, Calif., described in detail how it works. Apple had acknowledged to Congress last year only that "cell tower and Wi-Fi access point information" is "intermittently" collected and "transmitted to Apple" every 12 hours. At least some phones running Google's Android OS also store location information, Swedish programer Magnus Eriksson told CNET today. And research by another security analyst suggests that "virtually all Android devices" send some of those coordinates back to Google."
  • WSJ.com: Apple, Google Collect User Data
  • 3 New Thoughts on Mobile Location – A Follow up to Apple Location Tracking
  • April 20, 2011
    * NSA: Best Practices for Keeping Your Home Network Secure

    Best Practices for Keeping Your Home Network Secure, April 2011.

  • "The cyber threat is no longer limited to your office network and work persona. Adversaries realize that targets are typically more vulnerable when operating from their home network since there is less rigor associated with the protection, monitoring, and maintenance of most home networks. Home users need to maintain a basic level of network defense and hygiene for both themselves and their family members when accessing the Internet."
  • April 19, 2011
    * Verizon Risk Team: 2011 Data Breach Investigations Report

    News release: "Data loss through cyber attacks decreased sharply in 2010, but the total number of breaches was higher than ever, according to the "Verizon 2011 Data Breach Investigations Report." These findings continue to demonstrate that businesses and consumers must remain vigilant in implementing and maintaining security practices. The number of compromised records involved in data breaches investigated by Verizon and the U.S. Secret Service dropped from 144 million in 2009 to only 4 million in 2010, representing the lowest volume of data loss since the report's launch in 2008. Yet this year's report covers approximately 760 data breaches, the largest caseload to date. According to the report, the seeming contradiction between the low data loss and the high number of breaches likely stems from a significant decline in large-scale breaches, caused by a change in tactics by cybercriminals. They are engaging in small, opportunistic attacks rather than large-scale, difficult attacks and are using relatively unsophisticated methods to successfully penetrate organizations. For example, only 3 percent of breaches were considered unavoidable without extremely difficult or expensive corrective action. The report also found that outsiders are responsible for 92 percent of breaches, a significant increase from the 2010 findings. Although the percentage of insider attacks decreased significantly over the previous year (16 percent versus 49 percent), this is largely due to the huge increase in smaller external attacks. As a result, the total number of insider attacks actually remained relatively constant.

  • 2011 Data Breach Investigations Report, A study conducted by the Verizon RISK Team with cooperation from the U.S. Secret Service and the Dutch High Tech Crime Unit."
  • April 17, 2011
    * White House Releases National Strategy for Trusted Identities in Cyberspace

    National Strategy for Trusted Identities in Cyberspace, Enhancing Online Choice, Efficiency, Security, and Privacy - April 2011

  • "A secure cyberspace is critical to our prosperity 1 We use the Internet and other online environments to increase our productivity, as a platform for innovation, and as a venue in which to create new businesses “Our digital infrastructure, therefore, is a strategic national asset, and protecting it—while safeguarding privacy and civil liberties—is a national security priority” and an economic necessity. By addressing threats in this environment, we will help individuals protect themselves in cyberspace and enable both the private sector and government to offer more services online As a Nation, we are addressing many of the technical and policy shortcomings that have led to insecurity in cyberspace Among these shortcomings is the online authentication of people and devices: the President’s Cyberspace Policy Review established trusted identities as a cornerstone of improved cybersecurity...The National Strategy for Trusted Identities in Cyberspace (NSTIC or Strategy) charts a course for the public and private sectors to collaborate to raise the level of trust associated with the identities of individuals, organizations, networks, services, and devices involved in online transactions."
  • April 08, 2011
    * Presidential Policy Directive - National Preparedness

    Presidential Policy Directive PPD-8, National Preparedness, March 30, 2011 [via FAS]

  • "This directive is aimed at strengthening the security and resilience of the United States through systematic preparation for the threats that pose the greatest risk to the security of the Nation, including acts of terrorism, cyber attacks, pandemics, and catastrophic natural disasters. Our national preparedness is the shared responsibility of all levels of government, the private and nonprofit sectors, and individual citizens. Everyone can contribute to safeguarding the Nation from harm. As such, while this directive is intended to galvanize action by the Federal Government, it is also aimed at facilitating an integrated, all-of-Nation, capabilities-based approach to preparedness. Therefore, I hereby direct the development of a national preparedness goal that identifies the core capabilities necessary for preparedness and a national preparedness system to guide activities that will enable the Nation to achieve the goal. The system will allow the Nation to track the progress of our ability to build and improve the capabilities necessary to prevent, protect against, mitigate the effects of, respond to, and recover from those threats that pose the greatest risk to the security of the Nation."
  • Presidential Policy Directives [PPDs] Barack Obama Administration
  • April 07, 2011
    * Epsilon Data Breach Threatens E-mail Privacy of Millions

    Via EPIC: "Epsilon, a large marketing firm, has lost the names and e-mail addresses of customers of Walgreens, JP Morgan Chase, Capitol One, Tivo, and other large companies. The firm announced the data breaches late last week. Data service providers, such as Epsilon, are not well known by consumers and are not typically regulated. Epsilon provides data analytics, targeting, profiling of customers, as well as e-mail tracking services. Previously, EPIC provided comments to the Federal Trade Commission and testimony to the United States Congress on the need for comprehensive privacy protection for customer data."

    April 05, 2011
    * Symantec Internet Security Threat Report: Trends for 2010

    Symantec Internet Security Threat Report Trends for 2010, Volume 16, Published April 2011

  • "Spam and phishing data is captured through a variety of sources, including the Symantec Probe Network, a system of more than 5 million decoy accounts; MessageLabs™ Intelligence, a respected source of data and analysis for messaging security issues, trends and statistics; as well as other Symantec technologies. Data is collected in more than 86 countries from around the globe. Over 8 billion email messages, as well
    as over 1 billion Web requests are processed per day across 16 data centers. Symantec also gathers phishing information through an extensive antifraud community of enterprises, security vendors, and more than 50 million consumers. These resources give Symantec’s analysts unparalleled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in attacks, malicious code activity, phishing, and spam. The result is the Symantec Internet Security Threat Report, which gives enterprises and consumers the essential information to secure their systems effectively now and into the future."
  • "Symantec recorded over 3 billion malware attacks in 2010 and yet one stands out more than the rest - Stuxnet. This attack captured the attention of many and led to wild speculation on the target of the attacks and who was behind them...."
  • March 31, 2011
    * FTC Chairman Issues Commission's 2011 Annual Report Highlights Agency Accomplishments to Protect Consumers and Competition

    "Federal Trade Commission Chairman Jon Leibowitz today issued the FTC’s 2011 Annual Report at the American Bar Association’s Section of Antitrust Law Spring Meeting in Washington, DC, highlighting the agency’s continued efforts to protect financially distressed consumers and promote competition during the economic downturn.

  • “Over the past year, the FTC has challenged unscrupulous business practices and anticompetitive mergers, shut down shady operations and deceptive marketing campaigns, and protected consumers’ privacy and their pocketbooks,” Chairman Leibowitz said. “The agency’s actions in the past 12 months have had far-reaching effects in protecting consumers and competition in critical sectors of our economy – from high tech to health care, financial services to online commerce.”
  • March 28, 2011
    * DHS - Enabling Distributed Security in Cyberspace

    Enabling Distributed Security in Cyberspace - Building a Healthy and Resilient Cyber Ecosystem with Automated Collective Action, March 23, 2011

  • "Like natural ecosystems, the cyber ecosystem comprises a variety of diverse participants – private firms, non‐profits, governments, individuals, processes, and cyber devices (computers, software, and communications technologies) – that interact for multiple purposes. Today in cyberspace, intelligent adversaries exploit vulnerabilities and create incidents that propagate at machine speeds to steal identities, resources, and advantage. The rising volume and virulence of these attacks have the potential to degrade our economic capacity and threaten basic services that underpin our modern way of life. This discussion paper explores the idea of a healthy, resilient – and fundamentally more secure – cyber ecosystem of the future, in which cyber participants, including cyber devices, are able to work together in near‐real time to anticipate and prevent cyber attacks, limit the spread of attacks across participating devices, minimize the consequences of attacks, and recover to a trusted state. In this future cyber ecosystem, security capabilities are built into cyber devices in a way that allows preventive and defensive courses of action to be coordinated within and among communities of devices. Power is distributed among participants, and near‐real time coordination is enabled by combining the innate and interoperable capabilities of individual devices with trusted information exchanges and shared, configurable policies."
  • March 23, 2011
    * AVG Study Reveals Alarming Complacency Among Users of Mobile Devices on Security

    Smartphone Security - Survey of U.S. consumers, Ponemon Institute© Research Report, Sponsored by AVG Technologies, Independently conducted by Ponemon Institute LLC, Publication Date: March 2011

  • News release: "AVG Technologies, one of the leading providers of consumer security software, today revealed details of a sobering study uncovering new statistics about the data security risks involved in everyday smartphone use. Findings are the result of a recent study conducted by the Ponemon Institute in concert with AVG of 734 random US consumers over age 18 regarding their mobile communications behavior. The study confirmed AVG’s concerns focus on consumers indifference to the many serious security risks associated with the storage and transmission of sensitive personal data on iPhone, Blackberry and Android devices. Following are three of the most alarming:
    • 89 percent of respondents were unaware that smartphone applications can transmit confidential payment information such as credit card details without the user’s knowledge or consent.
    • 91 percent of respondents were unaware that financial applications for smartphones can be infected with specialized malware designed to steal credit card numbers and online banking credentials, yet nearly a third (29 percent) report already storing credit and debit card information on their devices and 35 percent report storing “confidential” work related documents as well.
    • 56 percent of respondents did not know that failing to properly log off from a social network app could allow an imposter to post malicious details or change personal settings without their knowledge. Of those aware, 37 percent were unsure whether or not their profiles had already been manipulated.
  • March 16, 2011
    * Report: 2010 U.S. Cost of a Data Breach

    News release: "The Ponemon Institute proudly presents the 2010 U.S. Cost of a Data Breach, the sixth annual study concerning the cost of data breach incidents for U.S.-based companies sponsored by Symantec Corporation. The average organizational cost of a data breach increased to $7.2 million and cost companies an average of $214 per compromised record, markedly higher when compared to $204 in 2009. The study also found that for the second straight year organizations’ need to respond rapidly to data breaches drove the associated costs higher. The sixth annual Ponemon Cost of a Data Breach report is based on the actual data breach experiences of 51 U.S. companies from 15 different industry sectors."

    March 10, 2011
    * Wikileaks and Freedom, Autonomy and Sovereignty in the Cloud

    You Have No Sovereignty Where We Gather – Wikileaks and Freedom, Autonomy and Sovereignty in the Cloud, Balázs Bodó - Budapest University of Technology and Economics; Stanford Law School Center for Internet and Society, March 7, 2011

  • "Wikileaks represents a new type of (h)activism, which shifts the source of potential threat from a few, dangerous hackers and a larger group of mostly harmless activists – both outsiders to an organization – to those who are on the inside. For insiders trying to smuggle information out, anonymity is a necessary condition for participation. Wikileaks has demonstrated that the access to anonymity can be democratized, made simple and user friendly. Being Anonymous in the context of Wikileaks has a double promise: it promises to liberate the subject from the existing power structures, and in the same time it allows the exposure of these structures by opening up a space to confront them. The Wikileaks coerced transparency, however, is nothing more than the extension of the Foucauldian disciplinary power to the very body of state and government. While anonymity removes the individual from existing power relations, the act of surveillance puts her right back to the middle. The ability to place the state under surveillance limits and ultimately renders present day sovereignty obsolete. It can also be argued that it fosters the emergence of a new sovereign in itself. I believe that Wikileaks (or rather, the logic of it) is a new sovereign in the global political/economic sphere. But as it stands now, Wikileakistan shares too much with the powers it wishes to counter. The hidden power structures and the inner workings of these states within the state are exposed by another imperium in imperio, a secretive organization, whose agenda is far from transparent, whose members, resources are unknown, holding back an indefinite amount of information both on itself and on its opponents. I argue that it is not more secretive, one sided transparency which will subvert and negate the control and discipline of secretive, one sided transparency, it is anonymity."
  • March 08, 2011
    * Civil Liberties and Industry Groups Release Cybersecurity White Paper

    News release: "For the first time, industry groups and civil liberties interests have come together to advocate a comprehensive, common approach to cybersecurity. That approach is reflected in today's release of a cybersecurity white paper that rejects government mandates and advocates for a stronger partnership between industry and government. The 20-page white paper is a joint release from CDT, U.S. Chamber of Commerce, Business Software Alliance, TechAmerica, and the Internet Security Alliance."

    * FTC Releases List of Top Consumer Complaints in 2010

    News release: "The Federal Trade Commission today released the list of top consumer complaints received by the agency in 2010. The list showed that for the 11th year in a row, identity theft was the number one consumer complaint category. Of 1,339,265 complaints received in 2010, 250,854 – or 19 percent – were related to identity theft. Debt collection complaints were in second place, with 144,159 complaints. The report breaks out complaint data on a state-by-state basis and also contains data about the 50 metropolitan areas reporting the highest per capita incidence of fraud and other complaints. In addition, the 50 metropolitan areas reporting the highest incidence of identity theft are noted."

    March 04, 2011
    * Scareware Highlights Document Release from Russia's largest online payments processor

    ChronoPay’s Scareware Diaries: "If your Windows PC has been hijacked by fake anti-virus software or “scareware” anytime in the past few years, chances are good that the attack was made possible by ChronoPay, Russia’s largest processor of online payments. Tens of thousands of documents stolen and leaked last year from ChronoPay offer a fascinating look into a company that has artfully cultivated and handsomely profited from the market for scareware, programs that infiltrate victim PCs to display fake security alerts in a bid to frighten users into paying for worthless security software."

    February 27, 2011
    * Internet Crime Complaint Center - 2010 Internet Crime Report

    2010 Internet Crime Report, The Internet Crime Complaint Center (IC3), February 2011

  • "Now in its tenth year, the Internet Crime Complaint Center (IC3) has become a vital resource for victims of online crime and for law enforcement investigating and prosecuting offenders. In 2010, IC3 received the second-highest number of complaints since its inception. IC3 also reached a major milestone this year when it received its two-millionth complaint. On average, IC3 receives and processes 25,000 complaints per month. IC3 is more than a repository for victim complaints. It serves as a conduit for law enforcement to share information and pursue cases that often span jurisdictional boundaries. IC3 was founded in 2000 as a joint effort between the National White Collar Crime Center (NW3C)/Bureau of Justice Assistance (BJA) and the Federal Bureau of Investigation (FBI). That partnership leveraged the resources necessary to aid law enforcement in every aspect of an Internet fraud complaint.
    The most common victim complaints in 2010 were non-delivery of payment/merchandise, scams impersonating the FBI (hereafter “FBI-related scams”) and identity theft. Victims of these crimes reported losing hundreds of millions of dollars."
  • February 18, 2011
    * UK Cabinet Office Report: The Cost Of Cyber Crime

    The Cost of Cybercrime: A Detica Report in Partnership with the Office of Cyber Security and Information Assurance in the Cabinet Office, February 17, 2011

  • "Few areas of our lives remain untouched by the digital revolution. Across the world, there are now nearly two billion internet users and over five billion mobile phone connections; every day, we send 294 billion emails and five billion SMS messages. Over 91 per cent of UK businesses and 73 per cent of UK households have internet access and £47.2 billion was spent online in the UK alone in 2009. Our society is now almost entirely dependent on the continued availability, accuracy and confidentiality of its Information and Communications Technology (ICT). We need it for our economic health, for the domestic machinery of government, for national defence and for our day-to-day social and cultural existence. As well as significant benefits, the technology has also enabled old crimes to be committed in new and more subtle ways. In its National Security Strategy4, cyber threats are recognised by the Government as one of four ‘Tier One’ risks to the UK’s security. But estimates of the cost of cyber crime have until now not been able to provide a justifiable estimate of economic impact and have failed to address the breadth of the problem. Therefore, the Office of Cyber Security and Information Assurance (OCSIA) worked with Detica to look more closely at the cost of cyber crime in the UK and, in particular, to gain a better appreciation of the costs to the UK economy of Intellectual Property (IP) theft and industrial espionage. Further developments of cyber crime policy, strategies and detailed plans will thus benefit from this insight."
  • February 17, 2011
    * OPM Issues Competency Model for Cybersecurity

    "The U.S. Office of Personnel Management (OPM), the Chief Information Officers (CIO) Council and the Chief Human Capital Officers Council's Workforce Development Subcommittee identified cybersecurity related occupations as high priorities for Governmentwide competency models. In November 2009, OPM initiated a Governmentwide study to identify critical competencies for cybersecurity work, working with the CIO Council and the National Initiative for Cybersecurity Education (NICE). Subject matter experts provided key insights, and employees and supervisors across the Government completed surveys to paint a comprehensive picture of cybersecurity work. We are pleased to provide the attached Cybersecurity competency model to support your human resources initiatives. The competencies identified may be used in such agency efforts as workforce planning, training and development, performance management, recruitment, and selection. When used for selection, the competencies must be used in conjunction with the appropriate qualification standard."

    February 13, 2011
    * Backgrounder - 10 Conservative Principles for Cybersecurity Policy

    10 Conservative Principles for Cybersecurity Policy, by Paul Rosenzweig, George Washington University School of Law; Posted FEbruary 10, 2011

  • "In the age of the Internet, which now determines daily life for Americans, many threats to the U.S. now exist in the cyber domain. Cybersecurity is a near constant theme in Washington, as well as for private companies around the country. Congress and government agencies are clamoring to develop policies and strategies to protect national security and commercial interests. Internet attacks are already a standard feature of modern life, and the threats and their implications—from hacking into company sites to steal credit card numbers to hacking into government computers for espionage—are growing fast. Cybersecurity must be addressed—the right way. This Heritage Foundation paper outlines the basic facts of the Internet—and the policy principles to which they lead."
  • February 12, 2011
    * Advanced sign-in security for your Google account

    Official Google Blog: "Has anyone you know ever lost control of an email account and inadvertently sent spam—or worse—to their friends and family? There are plenty of examples...that demonstrate why it's important to take steps to help secure your activities online. Your Gmail account, your photos, your private documents—if you reuse the same password on multiple sites and one of those sites gets hacked, or your password is conned out of you directly through a phishing scam, it can be used to access some of your most closely-held information...2-step verification requires two independent factors for authentication, much like you might see on your banking website: your password, plus a code obtained using your phone. Over the next few days, you'll see a new link on your Account Settings page."

    February 08, 2011
    * 2010 U.S. Intellectual Property Enforcement Coordinator Annual Report on Intellectual Property Enforcement

    2010 U.S. Intellectual Property Enforcement Coordinator Annual Report on Intellectual Property Enforcement, U.S. Intellectual Property Enforcement Coordinator, February 2011

  • "Over the last six months, we have heard repeated concerns about enforcement of patents and trade secrets, particularly in China. This year, DOJ and the Federal Bureau of Investigation (FBI) have increased their investigations and prosecutions of corporate and state-sponsored trade secret theft. For example, in July, two defendants were indicted for stealing General Motors hybrid-vehicle technology trade secrets that caused more than $40 million of harm to GM and, in November, a defendant was convicted of stealing Ford trade secrets that caused between $50 to $100 million of harm to Ford. This focus will continue. In addition, the U.S. Patent and Trademark Office (USPTO) will lead an effort this year to thoroughly assess the patent enforcement landscape in China and recommend steps that the U.S. Government can take to improve patent enforcement there."
  • February 05, 2011
    * Reports that White House e-mail system used in UK cyberattack

    Federal Computer Week: "The White House's unclassified e-mail system is back up after an eight-hour outage, but the e-mail security problems may go deeper. It was disclosed February 4, 2011 that some officials alleged White House e-mails were the source of a cyberattack against British officials two months ago. Officials from the United Kingdom said today that alleged White House e-mail accounts were the source of a malware attack against U.K. government officials in late December, according to news report."

  • "The UK Government highlighted attacks upon UK cyberspace as a priority risk in its National Security Strategy published in October 2010. The setting for the Foreign Secetary's speech is the 47th Munich Security Conference on 4 February. The UK delegation is led by Prime Minister David Cameron. [Read Foreign Secretary's speech in full - snipped here: "Government systems are being targeted too. ZEUS is a well-known piece of malware that attempts to steal banking information and other personal details. In late December a spoofed email purporting to be from the White House was sent to a large number of international recipients who were directed to click on a link that then downloaded a variant of ZEUS. The UK Government was targeted in this attack and a large number of emails bypassed some of our filters. Our experts were able to clear up the infection, but more sophisticated attacks such as these are becoming more common."
  • * WSJ Report: Nasdaq systems were hacked last year

    Computerworld via WSJ: "Federal authorities are investigating a computer intrusion at the company that runs the Nasdaq stock exchange, the Wall Street Journal reported Friday. According to the report, which cites anonymous sources, Nasdaq OMX Group computers were compromised sometime over the past year, but the company's trading platform was unaffected. "So far, [the perpetrators] appear to have just been looking around," the Journal quotes one source as saying. Nasdaq OMX Group runs a number of stock exchanges, including the U.S. Nasdaq, and exchanges that trade in Copenhagen, Stockholm, Helsinki, and the Baltic region. The investigation is being conducted by the U.S. Federal Bureau of Investigation and the U.S. Secret Service, the report states."

    February 02, 2011
    * DOE IG: Federal Energy Regulatory Commission's Monitoring of Power Grid Cyber Security

    Audit Report, Federal Energy Regulatory Commission's Monitoring of Power Grid Cyber Security, DOE/IG-0846, January 2011

  • "Despite their importance to protecting the power grid, the CIP [Critical Infrastructure Protection] standards did not include a number of security controls commonly recommended for government and industry systems, including both administrative and mission-related systems. For instance, the standards did not include essential security requirements and effective practices such as defining what constituted critical assets and implementation of strong logical access controls. In certain cases, Commission officials noted that the lack of stringent requirements for defining critical assets contributed to significant under reporting of these assets. In addition, while we recognize that there are inherent delays associated with the current regulatory structure, we found that the timeliness of the standards development and approval process was also impacted because the Commission did not take advantage of existing authority. Delays ultimately limited the standards' usefulness in facilitating responses to emerging threats. Without increased efficiency in this area, the Commission and the entities under its purview may not be able to develop and implement future standards in a timely manner to address emerging security threats.."
  • February 01, 2011
    * Arbor Networks' Sixth Annual Worldwide Infrastructure Security Report

    Arbor Networks' Sixth Annual Worldwide Infrastructure Security Report

  • "Arbor Networks®, in cooperation with the Internet operational security community, has completed the sixth edition of an ongoing series of annual operational security surveys. This survey, covering roughly a 12-month period from October 2009 through September 2010, is designed to provide industry-wide data to network operators. This data is intended to enable more informed decisions about the use of network security technology to protect mission-critical Internet and other IP-based infrastructure. The survey output serves as a general resource for the Internet operations and engineering community, recording information on trends and employment of various infrastructure security techniques...After a respite in the growth of packet-flooding DDoS attack bandwidth during the 2008 to 2009 survey period, attackers have moved aggressively over the current survey period to dramatically increase attack volumes—for the first time launching DDoS attacks breaking the 100 Gbps barrier. This represents a 102 percent increase in DDoS attack bandwidth since the previous survey period and a staggering 1000 percent increase since Arbor released the first Worldwide Infrastructure Security Report (WISR) in 2005..."
  • January 27, 2011
    * FTC: Court Freezes Assets of Massive Internet Enterprise in Alleged Billing Scheme

    News release: "At the request of the Federal Trade Commission, a federal court has frozen the assets of corporations and an individual behind a far-reaching Internet enterprise that allegedly made more than $275 million by luring consumers into deceptive “trial” memberships, and bogus government-grant and money-making schemes. The court froze the assets of 61 corporations (collectively known as “I Works”) and their alleged ringleader, Jeremy Johnson. It placed these defendants’ assets under the control of a court-supervised receiver to help ensure that funds are available for consumer restitution when the case is concluded. In December 2010, the FTC alleged that I Works lured consumers into “trial” memberships for bogus government-grant and money-making schemes, and then repeatedly charged monthly fees for these and other memberships the consumers never ordered. According to the FTC’s complaint, the operation used websites that pitch various money-making programs or tout the availability of government grants to pay personal expenses."

    January 23, 2011
    * Federal Government Cybersecurity Progress: Obama Administration Report Card 2009 - Present

    National Security Cyberspace Institute - Federal Government Cybersecurity Progress: Obama Administration Report Card 2009-Present

  • What follows is an "Obama Administration Report Card," whereby we have awarded grades for progress against a number of the recommendations contained in the 60-Day Review, or "Hathaway Report" as it is commonly called. The Hathaway Report contained recommendations broken down into two categories of action plans, designated as Near-Term and Mid-Term, with neither plan being defined in terms of timing or projected dates of completion – perhaps its most glaring shortfall. Now that the administration is over halfway through their elected term, we believe enough time has passed to make it entirely reasonable to expect complete or near-complete implementation of action items described as "near term." We've therefore evaluated the administration's progress against the ten recommendations contained in the Near-Term Action Plan while withholding judgment for now on the additional 14 recommendations in the Mid-Term Action Plan."
  • January 15, 2011
    * Vanity Fair - The Man Who Spilled the Secrets - WikiLeaks Assange

    The Man Who Spilled the Secrets: "The collaboration between WikiLeaks founder Julian Assange, the Web’s notorious information anarchist, and some of the world’s most respected news organizations began at The Guardian, a nearly 200-year-old British paper. What followed was a clash of civilizations—and ambitions—as Guardian editors and their colleagues at The New York Times and other media outlets struggled to corral a whistle-blowing stampede amid growing distrust and anger. With Assange detained in the U.K., the author reveals the story behind the headlines." By Sarah Ellison

    January 12, 2011
    * Commentary - Undersea Cables: The Achilles Heel of our Economies

    Follow up to Critical Undersea Internet Cables Damaged Between Europe and Mideast, this related commentary, Undersea Cables: The Achilles Heel of our Economies, by Franz-Stefan Gady

  • "Hardly any people know that our global digital connectivity rests upon a relatively few fiber optic cables lying at the bottom of the Atlantic, Pacific, and Indian Oceans. They wrongly believe that their international communications are carried via satellite links. The truth is that 99 percent of transcontinental Internet traffic travels through these connecting cables; these are the lifelines of our economies. For proof, simply take a quick look at the financial services sector. In 2004 alone, nine million messages and approximately $7.4 trillion a day were traded via undersea cables worldwide. The Society for Worldwide Interbank Financial Telecommunication (SWIFT), a provider of financial messaging, sends about 15 million messages a day over cables. 1 million of these are financial transactions, amounting to over $4.7 trillion dollars a day commuting via the same undersea cables. The finance hub Hong Kong doubles its dependency, i.e. the volume of messages going through these cables, every 18 months."
  • * Report: Protecting the Digital Economy

    "On January 10, 2011, the EastWest Institute released a report detailing the results of the First Worldwide Cybersecurity Summit: Protecting the Digital Economy, and outlining the cybersecurity initiative’s next steps as it prepares for the Second Worldwide Cybersecurity Summit in London on June 1-2. At the summit, held from May 3 to 5, 2010 in Dallas, Texas, EWI brought together over 400 technical experts, policy elites and national security officials from the Cyber40, an informal grouping of the world’s most digitally-advanced countries—among others, the United States, China, India, Russia and Estonia. Participants worked to identify problems facing crucial sectors of the Internet, such as financial services and essential government services, and forge concrete solutions to protect the world’s digital infrastructure."

    January 09, 2011
    * Next Steps to Enhance Online Security, Planned National Office for Identity Trust Strategy

    News release: "At a forum with Silicon Valley business and academic leaders at Stanford University, U.S. Commerce Secretary Gary Locke and White House Cybersecurity Coordinator Howard A. Schmidt announced plans to create a National Program Office to help foster an environment in which sensitive online transactions can be carried out with greater levels of trust. The National Program Office, to be established within the Department of Commerce, would coordinate federal activities needed to implement the National Strategy for Trusted Identities in Cyberspace (NSTIC), an Obama administration initiative aimed at establishing identity solutions and privacy-enhancing technologies that will make the online environment more secure and convenient for consumers. The national office would serve as the point of contact to bring the public and private sectors together to meet this challenge."

    January 05, 2011
    * Majority of Federal Employees Go Beyond Mandatory IT Security Requirements

    News release: "Most Federal employees go beyond baseline IT security requirements, according to a new survey by the Government Business Council, the research division of Government Executive Media Group, and CDW Government LLC (CDW-G), a leading provider of technology solutions to government, education and healthcare customers. While 97 percent of Federal employees are required by their agencies to use authentication measures such as passwords, security tokens and biometric identifiers, most take still more security precautions to protect agency data. Respondents noted that they proactively lock their screens when they are away from their computers and only use secure network connections and agency-issued machines to further secure information...The survey, underwritten by CDW-G in partnership with HP, conducted in September 2010, captured the views of 230 randomly selected Federal defense and civilian decision makers."

  • Mobile Computing at Federal Agencies: Frequency, Functionality, & Security - A Candid Survey of Federal Executives
  • * Top Issues Facing Social Security Administration Management - Fiscal Year 2011

    Top Issues Facing Social Security Administration Management - Fiscal Year 2011, December 2010

  • "The Reports Consolidation Act of 2000 requires that we summarize for inclusion in the Social Security Administration’s (SSA) Performance and Accountability Report, our perspective on the most serious management and performance challenges facing SSA. We have determined that the top management issues facing SSA in Fiscal Year 2011 are: Implement the American Recovery and Reinvestment Act Effectively and Efficiently, Improve Customer Service, Improve the Timeliness and Quality of the Disability Process, Improve Transparency and Accountability, Invest in Information Technology Infrastructure to Support Current and Future Workloads, Reduce Improper Payments and Increase Overpayment Recoveries, Reduce the Hearings Backlog and Prevent its Recurrence, and Strengthen the Integrity and Protection of the Social Security Number."
  • December 30, 2010
    * Help Net Reports Significant Decline of Spam

    Help Net: "In October Commtouch reported an 18% drop in global spam levels (comparing September and October). This was largely attributed to the closure of Spamit around the end of September. Spamit is the organization allegedly behind a fair percentage of the worlds pharmacy spam. Analysis of the spam trends to date reveals a further drop in the amounts of spam sent during Q4 2010. December’s daily average was around 30% less than September’s. The average spam level for the quarter was 83% down from 88% in Q3 2010. The beginning of December saw a low of nearly 74%."

    December 29, 2010
    * Report: Distributed Denial of Service Attacks Against Independent Media and Human Rights Sites

    "The Berkman Center for Internet & Society is pleased to share a new report, Distributed Denial of Service Attacks Against Independent Media and Human Rights Sites by Ethan Zuckerman, Hal Roberts, Ryan McGrady, Jillian York, John Palfrey

  • "Distributed Denial of Service (DDoS) is an increasingly common Internet phenomenon capable of silencing Internet speech, usually for a brief interval but occasionally for longer. In this paper, we explore the specific phenomenon of DDoS attacks on independent media and human rights organizations, seeking to understand the nature and frequency of these attacks, their efficacy, and the responses available to sites under attack. Our report offers advice to independent media and human rights sites likely to be targeted by DDoS but comes to the uncomfortable conclusion that there is no easy solution to these attacks for many of these sites, particularly for attacks that exhaust network bandwidth."
  • December 03, 2010
    * Verizon White Paper: Escaping from Microsoft’s Protected Mode Internet Explorer

    Escaping from Microsoft’s Protected Mode Internet Explorer - Evaluating a potential security boundary, November 2010

  • "In Internet Explorer 7 and Windows Vista, Microsoft introduced a new browser security feature called “Protected Mode”. According to Microsoft, this mechanism “significantly reduces the ability of an attack [against Internet Explorer] to write, alter or destroy data on the user’s machine”.1,2 A clearer description is that the feature attempts to protect the integrity of the client machine in the event the browser is compromised in an attack and prevent malware from being persisted on the targeted machine. This paper will describe why this is not currently the case in Internet Explorer 7 or 8 for remote code execution vulnerabilities, discuss the limitations of the feature by design, identify generic attacks patterns that can be used to bypass the feature (without user intervention) and discuss some inconsistencies in the underlying access control implemented in Microsoft® Windows®."
  • November 28, 2010
    * WikiLeaks Data Dump Verifies China's Attack On Google

    Following WikiLeaks Releases Secret US Embassy Cables, confirmation that China hacked Google's source code - see also related information on this issue from TechCrunch.

    * Internet Crime Complaint Center - Holiday Shopping Tips

    Holiday Shopping Tips: "This holiday season the FBI reminds shoppers that cyber criminals aggressively create new ways to steal money and personal information. Scammers use many techniques to fool potential victims, including conducting fraudulent auction sales, reshipping merchandise purchased with stolen credit cards, and selling fraudulent or stolen gift cards through auction sites at discounted prices...If you have received a scam email, please notify the IC3 by filing a complaint at http://www.IC3.gov. For more information on e-scams, please visit the FBI's New E-Scams and Warnings webpage at http://www.fbi.gov/cyberinvest/escams.htm."

    November 22, 2010
    * EFF Tool Offers New Protection Against Exploits of Webpage Security Flaws

    News release: "The Electronic Frontier Foundation (EFF) has launched a new version of HTTPS Everywhere, a security tool that offers enhanced protection for Firefox browser users against "Firesheep" and other exploits of webpage security flaws. HTTPS secures web browsing by encrypting both requests from your browser to websites and the resulting pages that are displayed. Without HTTPS, your online reading habits and activities are vulnerable to eavesdropping, and your accounts are vulnerable to hijacking... This new version of HTTPS Everywhere responds to growing concerns about website vulnerability in the wake of Firesheep, an attack tool that could enable an eavesdropper on a network to take over another user's web accounts -- on social networking sites or webmail systems, for example -- if the browser's connection to the web application either does not use cryptography or does not use it thoroughly enough...Other sites targeted by Firesheep that now receive protection from HTTPS Everywhere include Bit.ly, Cisco, Dropbox, Evernote, and GitHub. In addition to the HTTPS Everywhere update, EFF also released a guide to help website operators implement HTTPS properly."

    November 18, 2010
    November 15, 2010
    * Cross-Border Crime Forum Report - Identity-Related Crime: A Threat Assessment

    Identity-Related Crime: A Threat Assessment - A Report to the Attorney General of the United States and the Minister of Public Safety of Canada, November 2010

  • "This threat assessment focuses on five aspects of the identity-related crime problem as it affects Canada and the United States: (1) the scope and extent of the problem; (2) the purposes of identity-related crime; (3) the categories of individuals who engage in or are victimized by identity-related crime; (4) the methods and techniques that criminals use to commit identity-related crime; and (5) the responses to the problem. Its purpose is to identify and describe the most problematic features of this crime problem, as well as the approaches being used in both countries to combat it.
    Annually, a significant percentage of the U.S and Canadian populations is the victim of some kind of identity-related crime. The continuing vulnerability and insecurity of various types of payment mechanisms and identification documents is one of the persistent problems in combating identity-related crime. Criminals and criminal organizations engage in a wide variety of identity-related crime to commit fraud, unlawfully obtaining goods, services, or benefits from the public or private sector."
  • November 13, 2010
    * NYT Magazine: The Great Cyberheist

    Follow up to Major International Hacker Pleads Guilty For Massive Attack On U.S. Retail And Banking Networks, this Sunday New York Times cover article, The Great Cyberheist, details the remarkable double life of a young man who received the "longest sentence ever handed down to an American for computer crimes."

    November 02, 2010
    * Proceedings of a Workshop on Deterring CyberAttacks: Informing Strategies and Developing Options for U.S. Policy

    Proceedings of a Workshop on Deterring CyberAttacks: Informing Strategies and Developing Options for U.S. Policy, October 2010.

  • "In a world of increasing dependence on information technology, the prevention of cyberattacks on a nation's important computer and communications systems and networks is a problem that looms large. Given the demonstrated limitations of passive cybersecurity defense measures, it is natural to consider the possibility that deterrence might play a useful role in preventing cyberattacks against the United States and its vital interests. At the request of the Office of the Director of National Intelligence, the National Research Council undertook a two-phase project aimed to foster a broad, multidisciplinary examination of strategies for deterring cyberattacks on the United States and of the possible utility of these strategies for the U.S. government. The first phase produced a letter report providing basic information needed to understand the nature of the problem and to articulate important questions that can drive research regarding ways of more effectively preventing, discouraging, and inhibiting hostile activity against important U.S. information systems and networks. The second phase of the project entailed selecting appropriate experts to write papers on questions raised in the letter report. A number of experts, identified by the committee, were commissioned to write these papers under contract with the National Academy of Sciences. Commissioned papers were discussed at a public workshop held June 10-11, 2010, in Washington, D.C., and authors revised their papers after the workshop. Although the authors were selected and the papers reviewed and discussed by the committee, the individually authored papers do not reflect consensus views of the committee, and the reader should view these papers as offering points of departure that can stimulate further work on the topics discussed. The papers presented in this volume are published essentially as received from the authors, with some proofreading corrections made as limited time allowed."
  • November 01, 2010
    * Google Confronts China's "Three Warfares"

    Google Confronts China’s “Three Warfares”, by Timothy L. Thomas. Parameters, Summer 2010, Vol. 40, No. 2, U.S. Army War College.

  • "In early January 2010, Google announced that a computer attack originating from China had penetrated its corporate infrastructure (in mid-December) and stolen information from its computers, most likely source code. The hackers also accessed the Gmail accounts of some human-rights activists and infiltrated the networks of 33 companies. In April 2010, journalist John Markoff wrote: A person with direct knowledge of the investigation now says that the losses included one of Google’s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company’s Web services, including e-mail and business applications. The program, code named Gaia for the Greek goddess of the earth, was attacked in a lightning raid taking less than two days last December, the person said." ..China’s recent incursions into US military computer networks and Google’s cyber systems are of concern when viewed in isolation. They reflect a more serious problem when viewed as part of a short-term goal of conducting “preemptive reconnaissance” that accommodates a longer-term goal of affecting US military planning or the US economy. Many factors indicate that this may be China’s goal."

  • October 25, 2010
    * State Governments at Risk: A Call to Secure Citizen Data and Inspire Public Trust

    State Governments at Risk: A Call to Secure Citizen Data and Inspire Public Trust, September 2010

  • "People put a lot of trust in state governments to collect, maintain and protect the appropriate information necessary to execute their programs, protect individual rights, and ensure public safety. The volume of that information expands at an ever-increasing pace, and maintenance and protection of that information, particularly where it involves Personally Identifiable Information (PII) and Personal Health Information (PHI), becomes more and more challenging. The 2010 Deloitte-NASCIO Cybersecurity Study finds that states need to do more to secure citizen data and maintain public trust.
  • October 24, 2010
    * FinCEN Study Examines Rise in Identity Theft SARs; Awareness Helps Deter Greater Loss

    Identity Theft Trends, Patterns, and Typologies Reported in Suspicious Activity Reports Filed by Depository Institutions January 1, 2003 – December 31, 2009, released October 2010 by the Financial Crimes Enforcement Network

  • "Reports of identity theft have been increasing for more than a decade...Identity theft was the sixth most frequently reported characterization of suspicious activity within the period of the study, behind structuring/money laundering, check fraud, mortgage loan fraud, credit card fraud, and counterfeit check fraud. Based upon analysis of the study sample, the number of identity theft related depository institution SAR [Suspicious Activity Report] filings submitted during calendar year (CY) 2009 was 123 percent higher than the number reported in CY 2004. This compares with an 89 percent increase in the numbers of all depository institution SAR filings made in CY 2004 versus CY 2009."

  • October 20, 2010
    * A Strong Britain in an Age of Uncertainty: The National Security Strategy

    A Strong Britain in an Age of Uncertainty: The National Security Strategy, October 2010.

  • Our predecessors grappled with the brutal certainties of the Cold War – with an existential danger that was clear and present, with Soviet armies arrayed across half of Europe and the constant threat of nuclear confrontation between the superpowers. Today, Britain faces a different and more complex range of threats from a myriad of sources. Terrorism, cyber attack, unconventional attacks using chemical, nuclear or biological weapons, as well as large scale accidents or natural hazards – any one could do grave damage to our country. These new threats can emanate from states, but also from non state actors: terrorists, home-grown or overseas; insurgents; or criminals. The security of our energy supplies increasingly depends on fossil fuels located in some of the most unstable parts of the planet. Nuclear proliferation is a growing danger. Our security is vulnerable to the effects of climate change and its impact on food and water supply. So the concept of national security in 2010 is very different to what it was ten or twenty, let alone fifty or a hundred years ago...This Strategy is about gearing Britain up for this new age of uncertainty – weighing up the threats we face, and preparing to deal with them. But a strategy is of little value without the tools to implement it, so alongside this National Security Strategy we will tomorrow publish a Strategic Defence and Security Review. This will describe how we will equip our Armed Forces, our police and intelligence agencies to tackle current and future threats as effectively as they dealt with those of the past.
  • October 18, 2010
    * National Protect Your Identity Week - Learn How to Deter, Detect and Defend Against ID Theft

    News release: "This is National Protect Your Identity Week, and the Federal Trade Commission, the nation’s consumer protection agency, has information to help consumers, businesses, and law enforcement officials safeguard personal information and take action if an identity thief strikes.

    • www.ftc.gov/idtheft is a one-stop national resource to learn about the crime of identity theft. Consumers can learn how to avoid identity theft – and what to do if their identity is stolen. Businesses can learn to help their customers deal with identity theft and prevent problems in the first place. Law enforcement officials will find resources that help victims of identity theft.
    • www.YouTube.com/FTCVideos has short educational videos that help consumers learn more about identity theft, phishing, reducing spam, and protecting their computers against unwanted intrusions.
    • www.onguardonline.gov/games lets consumers test their cyber smarts with interactive games on everything from phishing and computer security to social networking and e-mail scams.
    • www.ftc.gov/freereports offers details about a consumer’s right to get a free copy of his or her credit report from each of the three national credit reporting companies, upon request, once every 12 months. Reviewing one’s credit report regularly is an effective way to deter and detect identity theft."

    * State of the Internet 2010: A Report on the Ever-Changing Threat Landscape

    State of the Internet 2010: A Report on the Ever-Changing Threat Landscape, CA Technologies Internet Security Business Unit
    Internet Security Intelligence Report, October 2010

  • "Today approximately 1.8 billion people use the Internet to do everything from conduct business, communicate with friends and family, keep up with current events or simply entertain themselves playing games or watching videos. Each individual and each Internet connected device presents a certain footprint that is exposed and often manipulated for criminal or political gain. Malware, or malicious software, is often the catalyst for this manipulation, while targets span the gamut from corporate and national secrets to personal information that can be used to directly steal money or perpetuate another crime. Technology and the Internet provide the = means and opportunity, while global socioeconomic trends provide the motive to perpetuate these crimes. Supporting this criminal activity and adding to the challenges of protection and law enforcement is the growth of a criminal ecosystem. This network of criminals and services introduces multiple layers of anonymity while providing modular functionality for perpetuating cybercrime. In this paper we have defined this ecosystem as “Crimeware-as-a-Service,” and we share examples of how this ecosystem is exploiting the latest technology trends of cloud computing and social media. The ability to perpetuate these crimes across the Internet without swift and severe repercussions further fuels this Crimeware, challenging security professionals and governments alike to find new ways to protect valuable information."

  • October 17, 2010
    * WSJ: Facebook in Privacy Breach Top-Ranked Applications Transmit Personal IDs

    WSJ: "Many of the most popular applications, or "apps," on the social-networking site Facebook Inc. have been transmitting identifying information—in effect, providing access to people's names and, in some cases, their friends' names—to dozens of advertising and Internet tracking companies, a Wall Street Journal investigation has found. The issue affects tens of millions of Facebook app users, including people who set their profiles to Facebook's strictest privacy settings. The practice breaks Facebook's rules, and renews questions about its ability to keep identifiable information about its users' activities secure. The problem has ties to the growing field of companies that build detailed databases on people in order to track them online—a practice the Journal has been examining in its What They Know series. It's unclear how long the breach was in place. On Sunday, a Facebook spokesman said it is taking steps to "dramatically limit" the exposure of users' personal information."

    September 24, 2010
    * FTC Testifies on Data Security Legislation

    News release: [On September 22, 2010] the Federal Trade Commission told a Senate Subcommittee that it supports proposed legislation that would require many companies to use reasonable data security policies and procedures and require those companies to notify consumers when there is a security breach. In testimony before the Committee on Science, Commerce, and Transportation Subcommittee on Consumer Protection, Product Safety and Insurance, Maneesha Mithal, Associate Director for Privacy and Identity Protection at the FTC told the Subcommittee that problems with data security and breaches affect a wide array of both businesses and nonprofit organizations..
    The testimony states that the agency suggests three additional measures that could be included in the proposed legislation to protect consumers. First, the provision that requires that companies notify consumers in the event of an information security breach should not be limited to entities that possess data in electronic form; second, the proposed requirements should be extended so that they apply to telephone companies; and third, the Commission suggests that the bill grant the agency rulemaking authority to determine circumstances under which providing free credit reports or credit monitoring may not be warranted."

    September 23, 2010
    * Hearing: Operating in the Digital Domain: Organizing the Military Departments for Cyber Operations

    House Armed Services Committee: The Terrorism, Unconventional Threats, and Capabilities Subcommittee met to receive testimony on Operating in the Digital Domain: Organizing the Military Departments for Cyber Operations, September 23, 2010.

    "The recent announcement that the Department of Defense (DOD) suffered a major compromise of classified military computer networks has renewed discussions about what more DOD and the government should do to operate in the digital domain. The establishment of U.S. Cyber Command and the announcement of a new cybersecurity strategy by Deputy Secretary of Defense William Lynn are important milestones, but more needs to be done....the Subcommittee is looking to discuss three main objectives for this hearing:

    • Understand the planned organizational structure for the Military Services cyber component organizations, and how they will present forces to U.S. Cyber Command (CYBERCOM).
    • Understand Service challenges to recruiting, retaining and training a cadre of cyber operations professionals.
    • Discuss initiatives supporting Service-specific requirements for cyber operations."
    • Links to prepared statements are here, here and here

    September 10, 2010
    * GAO Report: Hybrid Warfare

    Hybrid Warfare, GAO-10-1036R, September 10, 2010

  • "Senior military officials recently testified1 before Congress that current and future adversaries are likely to use “hybrid warfare” tactics, a blending of conventional and irregular approaches across the full spectrum of conflict. In addition, several academic and professional trade publications have commented that future conflict will likely be characterized by a fusion of different forms of warfare rather than a singular approach. The overarching implication of hybrid warfare is that U.S. forces must become more adaptable and flexible in order to defeat adversaries that employ an array of lethal technologies to protracted, population-centric conflicts such as those in Iraq and Afghanistan. Department of Defense (DOD) officials have discussed the need to counter the continuum of threats that U.S. forces could face from nonstate-and state-sponsored adversaries, including computer network and satellite attacks; portable surface-to-air missiles; improvised explosive devices; information and media manipulation; and chemical, biological, radiological, nuclear, and highyield explosive devices."
  • September 08, 2010
    * DHS OIG: DHS Needs to Improve the Security Posture of Its Cybersecurity Program Systems

    OIG-10-111 - DHS Needs to Improve the Security Posture of Its Cybersecurity Program Systems, September 8, 2010

  • "Our audit focused on the security of the systems that US-CERT uses to accomplish its cybersecurity mission. Overall, NCSD has implemented adequate physical security and logical access controls over the cybersecurity program systems used to collect, process, and disseminate cyber threat and warning information to the public and private sectors. However, a significant effort is needed to address existing security issues in order to implement a robust program that will enhance the cybersecurity posture of the federal government. To ensure the confidentiality, integrity, and availability of its cybersecurity information, NCSD needs to focus on deploying timely system security patches to mitigate risks to its cybersecurity program systems, finalizing system security documentation, and ensuring adherence to departmental security policies and procedures."
  • September 05, 2010
    * Deloitte Airline Fraud Report 2010 - Time to Stop the Losses

    News release: "The airline industry, already challenged by the worst economic crisis in a generation and a massive loss of business through the Icelandic volcano disruptions, is still losing millions of dollars to fraud. A recent survey conducted by Deloitte on behalf of the International Association of Airline Auditors (IAAIA) revealed that fraud is costing each airline an average of US$2.4 million annually. Compared to the cost of the volcanic ash drama, this may not seem a large amount, but combined with the knock-on impact on customer loyalty through unchecked fraudulent practices, it can add up to a much more serious problem. Our findings reveal that a third of airlines believe fraud to be a significant problem, and one that has increased in the past year. The results of the survey make intriguing reading for anyone working in the industry. The biggest threat today comes from credit card crime, which was highlighted in a similar survey conducted by Deloitte three years ago. Organized crime, weak technology controls, and the lack of resources to monitor fraud were given as additional risk factors, with some airlines saying staff training was also inadequate."

  • Airline Fraud Report 2010 - Time to Stop the Losses
  • August 26, 2010
    * Commentary: Billions still illegally flowing through US banks

    Interbank transaction data stripped from entities blacklisted by DOJ for money laundering: "Last week Britain's Barclays Bank became the latest foreign bank to be penalized hundreds of millions of dollars for allegedly helping US-sanctioned parties clandestinely move large sums of money through the American financial system. Barclays agreed to pay $298 million for allegedly helping clients in Iran, Cuba, Libya, Sudan and Burma by "stripping" international wire transfer messages, that is, by removing any reference to the sanctioned parties so that the US banks clearing the transactions did not know that a sanctioned party was involved and therefore did not block or freeze the transaction. As odd as it may seem, this practice appears to have been commonplace amongst European banks just a few years ago. The homeland security implications are staggering."

  • See also Legal Times: Judge Approves $298M Settlement Between DOJ, Barclays Bank

  • August 11, 2010
    * Cisco 2010 Midyear Security Report

    Cisco 2010 Midyear Security Report - The impact of global security threats and trends on the enterprise

  • "Web 2.0, mobility, virtualization, and other dramatic shifts in how we communicate and collaborate are carving out a new landscape for business and for enterprise security. The Cisco® Midyear Security Report examines these changes and their impact on the enterprise, and highlights other significant trends and threats creating security challenges for organizations worldwide. The report also includes recommendations from Cisco security experts designed to help enterprises strengthen their security."
  • August 09, 2010
    * DOE Estimates 10 Million Cyberattacks Daily

    Forbes: "The U.S. Department of Energy is in a class by itself, though. The agency receives more than 10 million attacks every day, according to Tom Pyke, the DOE's former CIO. That includes everything from simple scans all the way up to phishing attacks that attempt to use malicious code to take over. And it can be as sophisticated as any attacker--think government--can make it."

    August 04, 2010
    * Verizon 2010 Data Breach Investigations Report

    2010 Data Breach Investigations Report, A study conducted by the Verizon RISK Team in cooperation with the United States Secret Service

  • "In some ways, data breaches have a lot in common with fingerprints. Each is unique and we learn a great deal by analyzing the various patterns, lines, and contours that comprise each one. The main value of fingerprints, however, lies in their ability to identify a particular individual in particular circumstances. In this sense, studying them in bulk offers little additional benefit. On the other hand, the analysis of breaches in aggregate can be of great benefit; the more we study, the more prepared we are to stop them. Not surprisingly, the United States Secret Service (USSS) is also interested in studying and stopping data breaches. This was a driving force in their decision to join us in this 2010 Data Breach Investigations Report. They’ve increased the scope of what we’re able to study dramatically by including a few hundred of their own cases to the mix. Also included are two appendices from the USSS. One delves into online criminal communities and the other focuses prosecuting cybercrime. We’re grateful for their contributions and believe organizations and individuals around the world will benefit from their efforts. With the addition of Verizon’s 2009 caseload and data contributed from the USSS, the DBIR series now spans six years, 900+ breaches, and over 900 million compromised records."
  • August 02, 2010
    * Cyberspace: United States Faces Challenges in Addressing Global Cybersecurity and Governance

    Cyberspace: United States Faces Challenges in Addressing Global Cybersecurity and Governance, GAO-10-606, July 02, 2010

  • "There are a number of key entities and efforts with significant influence on international cyberspace security and governance. The organizations range from information-sharing forums that are nondecision-making gatherings of experts to private organizations to treaty-based, decision-making bodies founded by countries. Their efforts include those to address topics such as incident response, technical standards, and law enforcement cooperation. For example, the International Organization for Standardization is a nongovernmental organization that develops and publishes international standards, including those related to cybersecurity, through a consensus-based process involving a network of the national standards bodies of 162 countries. A number of U.S. federal entities have responsibilities for, and are involved in, international cyberspace governance and security efforts. Specifically, the Departments of Commerce, Defense, Homeland Security, Justice, and State, among others, are involved in efforts to develop international standards, formulate cyber-defense policy, facilitate overseas investigations and law enforcement, and represent U.S. interests in international forums. Federal entities have varying roles among organizations and efforts with international influence over cyberspace security and governance, including engaging in bilateral and multilateral relationships with foreign countries, providing personnel to foreign agencies, leading or being a member of a U.S. delegation, coordinating U.S. policy with other U.S. entities through the interagency process, or attending meetings."
  • July 29, 2010
    * National Cyber Security Alliance launches Web portal for 2010 National Cyber Security Awareness Month

    News release: "The National Cyber Security Alliance (NCSA), a public-private partnership focused on educating a digital citizenry to stay safe and secure online, today launched its National Cyber Security Awareness Month Web portal with information on events, activities, promotions and educational materials to be used in preparation for the online safety month to be held in October. Anyone – family, employers, consumers, teachers, and students – interested in online safety is encouraged to access the portal, and all materials are free to use."

    * Commerce Dept. launches major inquiry into cyber challenges to the Internet economy

    [Federal Register: July 28, 2010 (Volume 75, Number 144)] [Notices][Page 44216-44223]: "The Department of Commerce's Internet Policy Task Force is conducting a comprehensive review of the nexus between cybersecurity challenges in the commercial sector and innovation in the Internet economy. The Department seeks comments from all stakeholders, including the commercial, academic and civil society sectors, on measures to improve cybersecurity while sustaining innovation. Preserving innovation, as well as private sector and consumer confidence in the security of the Internet economy, are important for promoting economic prosperity and social well-being overall. In particular, the Department seeks to develop an up-to-date understanding of the current public policy and operational challenges affecting cybersecurity, as those challenges may shape the future direction of the Internet and its commercial use, both domestically and globally. After analyzing comments on this Notice, the Department intends to issue a report that will contribute to the Administration's domestic and international policies and activities in advancing both cybersecurity and the Internet economy."

  • "The Internet has become vitally important to U.S. innovation, prosperity, education, civic activity and cultural life as well as aspects of our national security. A top priority of the Department of Commerce is to ensure that the Internet remains an open and trusted infrastructure, both for commercial entities and individuals. In pursuit of this priority, the Department has created an Internet Policy Task Force whose mission is to identify leading policy challenges and to recommend possible solutions. The Task Force leverages expertise across many bureaus at the Department, including those responsible for cybersecurity standards and best practices, information and communications policy, international trade, intellectual property, business advocacy and export control. This Notice of Inquiry is one in a series of inquiries from the Task Force. Other reviews examine information privacy, global free flow of information on the Internet, and online copyright protection issues. The Task Force may explore additional areas in the future."
  • July 17, 2010
    * Hearing: Planning for the Future of Cyber Attack Attribution

    "EPIC Executive Director Marc Rotenberg testified [July 15, 2010]before the House Committee on Science and Technology regarding Planning for the Future of Cyber Attack Attribution. In his prepared statement, Mr. Rotenberg discussed "the risks and limitations of a mandatory Internet ID that may be favored by some as a way to address the risk of cyber attack." He explained how such a proposal would implicate human rights and online freedom, and questioned the constitutionality of such a measure. EPIC recommended that efforts continue to focus on improving security standards, deploying encryption, and requiring federal agencies to remain transparent as they develop cyber security policies."

    July 06, 2010
    * New GAO Reports: Overseas Contingency Operations, Cybersecurity
    • Overseas Contingency Operations: Comparison of the Department of Defense's Overseas Contingency Operations Funding Requests for Fiscal Years 2010 and 2011, GAO-10-889R, July 06, 2010
    • Cybersecurity: Key Challenges Need to Be Addressed to Improve Research and Development, GAO-10-466, June 03, 2010
    • Expeditionary Fighting Vehicle (EFV) Program Faces Cost, Schedule and Performance Risks, GAO-10-758R, July 02, 2010
    June 26, 2010
    * The National Strategy for Trusted Identities in Cyberspace

    The Comprehensive National Cybersecurity Initiative: "President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, but one that we as a government or as a country are not adequately prepared to counter. Shortly after taking office, the President therefore ordered a thorough review of federal efforts to defend the U.S. information and communications infrastructure and the development of a comprehensive approach to securing America’s digital infrastructure."

  • National Strategy for Trusted Identities in Cyberspace - Creating Options for Enhanced Online Security and Privacy, June 25, 2010
  • June 24, 2010
    * FTC Takes Action Against Twitter, Social Network Service Settles Charges It Deceived Consumers

    Twitter Settles Charges that it Failed to Protect Consumers’
    Personal Information; Company Will Establish Independently Audited Information Security Program
    : "Social networking service Twitter has agreed to settle Federal Trade Commission charges that it deceived consumers and put their privacy at risk by failing to safeguard their personal information, marking the agency’s first such case against a social networking service. The FTC’s complaint against Twitter charges that serious lapses in the company’s data security allowed hackers to obtain unauthorized administrative control of Twitter, including access to non-public user information, tweets that consumers had designated private, and the ability to send out phony tweets from any account including those belonging to then-President-elect Barack Obama and Fox News, among others."

    * The Protecting Cyberspace as a National Asset Act of 2010

    The Protecting Cyberspace as a National Asset Act of 2010 - This webpage links to facts sheets, summaries, comparisons and other relevant documents on this controversial legislation.

  • Myth v. Reality The Facts About S. 3480, “Protecting Cyberspace as a National Asset Act of 2010
  • United States Senate Committee on Homeland Security and Governmental Affairs, Senator Joseph I. Lieberman, Chairman, Senator Susan M. Collins, Ranking Member: "Our proposed legislation would modernize efforts to safeguard the nation’s cyberspace networks by creating a more robust organizational structure. This framework would enhance public-private partnerships to build preparedness and resiliency, strengthen the security of federal systems and improve awareness of cyberthreats across the country."
  • * FinCEN Releases 14th SAR Activity Review-By the Numbers Total Filings Fall but Fraud and Terrorist Financing Reports Grow

    News release: "The Financial Crimes Enforcement Network (FinCEN) today released its 14th edition of the SAR Activity Review – By the Numbers, which covers suspicious activity reports (SARs) filed in 2009. The report shows that the total number of all SARs filed by financial institutions declined from 1.29 million in 2008 to 1.28 million in 2009. This is the first time since 1996 that the total number of SARs filed declined over a one-year period. SARs filed by depository institutions declined for the first time from 732,563 in 2008 to 720,309 in 2009."

    June 20, 2010
    * DHS OIG: U.S. Computer Emergency Readiness Team Makes Progress in Securing Cyberspace, but Challenges Remain

    U.S. Computer Emergency Readiness Team Makes Progress in Securing Cyberspace, but Challenges Remain, OIG-10-94, June 2010

  • "This report addresses the U.S. Computer Emergency Readiness Team’s (US-CERT) efforts to coordinate national cyber analyses and warnings against and response to attacks within the nation’s critical infrastructure...US-CERT is hindered in its ability to provide an effective analysis and warning program for the federal government in a number of ways. Specifically, US-CERT does not have the appropriate enforcement authority to help mitigate security incidents. Additionally, it is not sufficiently staffed to perform its mission. Further, US-CERT has not finalized performance measures and policies and procedures related to cybersecurity efforts."
  • * UNODC report: International criminal markets have become major centres of power

    News release: "A report released by UN Office on Drugs and Crime shows how organized crime has globalized and turned into one of the world's foremost economic and armed powers. The Globalization of Crime: A Transnational Organized Crime Threat Assessment, released at the Council of Foreign Relations in New York, looks at major trafficking flows of drugs (cocaine and heroin), firearms, counterfeit products, stolen natural resources and people (for sex and forced labour), as well as smuggled migrants. It also covers maritime piracy and cybercrime."

    June 12, 2010
    * Leaks of National Security Documents to Media Focus of Government Prosecution

    Follow up to New Yorker: Julian Assange and WikiLeak's mission for total transparency news from two sources on converging aspects of leaking national security data via MSM and alternative news outlets.

  • "Pentagon investigators are trying to determine the whereabouts of the Australian-born founder of the secretive website Wikileaks for fear that he may be about to publish a huge cache of classified State Department cables that, if made public, could do serious damage to national security, government officials tell The Daily Beast. The officials acknowledge that even if they found the website founder, Julian Assange, it is not clear what they could do to block publication of the cables on Wikileaks, which is nominally based on a server in Sweden and bills itself as a champion of whistleblowers."
  • New York Times: "Though Mr. Obama began his presidency with a pledge of transparency, his aides have warned of a crackdown on leakers. In a November speech, the top lawyer for the intelligence agencies, Robert S. Litt, decried “leaks of classified information that have caused specific and identifiable losses of intelligence capabilities.” He promised action “in the coming months.”
  • June 06, 2010
    * New Yorker: Julian Assange and WikiLeak's mission for total transparency

    No Secrets, by Raffi Khatchadourian: "[Julian Paul] Assange is an international trafficker, of sorts. He and his colleagues collect documents and imagery that governments and other institutions regard as confidential and publish them on a Web site called WikiLeaks.org. Since it went online, three and a half years ago, the site has published an extensive catalogue of secret material, ranging from the Standard Operating Procedures at Camp Delta, in Guantánamo Bay, and the “Climategate” e-mails from the University of East Anglia, in England, to the contents of Sarah Palin’s private Yahoo account. The catalogue is especially remarkable because WikiLeaks is not quite an organization; it is better described as a media insurgency. It has no paid staff, no copiers, no desks, no office. Assange does not even have a home. He travels from country to country, staying with supporters, or friends of friends—as he once put it to me, “I’m living in airports these days.” He is the operation’s prime mover, and it is fair to say that WikiLeaks exists wherever he does. At the same time, hundreds of volunteers from around the world help maintain the Web site’s complicated infrastructure; many participate in small ways, and between three and five people dedicate themselves to it full time. Key members are known only by initials—M, for instance—even deep within WikiLeaks, where communications are conducted by encrypted online chat services. The secretiveness stems from the belief that a populist intelligence operation with virtually no resources, designed to publicize information that powerful institutions do not want public, will have serious adversaries."

  • Wired: U.S. Intelligence Analyst Arrested in Wikileaks Video Probe
  • June 02, 2010
    * FT.com Reports Google Phasing Out Corporate Use of Windows

    FT.com: "Google is phasing out the internal use of Microsoft’s ubiquitous Windows operating system because of security concerns, according to several Google employees. The directive to move to other operating systems began in earnest in January, after Google’s Chinese operations were hacked, and could effectively end the use of Windows at Google, which employs more than 10,000 workers internationally."

    April 26, 2010
    * FY 2010 Reporting Instructions for Federal Information Security Management Act and Agency Privacy Management

    EPIC: "A new White House memo sets out the Federal Information Security Management Act of 2002 (FISMA) standards for federal agencies. All agencies must comply with the FISMA standard and report security practices for information under agency control. The standard also extends obligations to agency contractors. By November 15, 2010, all agencies must be capable of monitoring all information traffic on their networks; and make reports to CyberScope, a platform launched last year to provide a single government-wide security management tool for FISMA reports. The Memorandum included requirements to respond to breaches of personal information. Agency Inspectors General will provide oversight of agency FISMA compliance."

    April 23, 2010
    * Symantec Internet Security Threat Report April 2010

    "The Symantec Internet Security Threat Report provides an annual overview and detailed analysis of Internet threat activity, malicious code, and known vulnerabilities. The report also discusses trends in phishing, spam and observed activities on underground economy servers...report sathe ys the U.S. was top country for malicious activity, making up 19% total."

    April 20, 2010
    * East West Institute: Global Cyber Deterrence

    Global Cyber Deterrence - Views from China, the U.S., Russia, India, and Norway by Tang Lan, Zhang Xin, Harry D. Raduege, Jr., Dmitry I. Grigoriev, Pavan Duggal, and Stein Schjølberg. Edited by Andrew Nagorski. April 2010

  • "Cybersecurity looms as the 21st century’s most vexing security challenge. The global digital economy hinges on a fragile system of undersea cables and private-sector-led partnerships, while the most sophisticated military command and control systems can be interfered with by non-state as well as state actors. Technology continues to race ahead of the ability of policy and legal communities to keep up. Yet international cooperation remains stubbornly difficult, both among governments as well as between them and the private sector—the natural leaders in everything cyber. In 2007, the International Telecommunication Union (ITU) set up a High-Level Experts Group to try to address the problem but progress is slow. The European Union and Asia-Pacific Economic Cooperation (APEC) are working at the regional level. But it has only been in the past six months that public consciousness has started to grasp the scope and significance of the cybersecurity challenge. Pushed by a spate of revelations about cyber attacks worldwide, the media and key elites now seem to get it: cybersecurity is a fundamental problem that must be addressed across traditional boundaries and borders by the private and public sectors in new and cooperative ways...For this policy paper, EWI asked top cyber experts in five countries—China, the U.S., Russia, India, and Norway—to present their vision of what is needed to build an effective system of cyber deterrence. It is a first step in the process of building trust on tackling cybersecurity challenges—listening, understanding and probing the views, interests and concerns of key players in the global system."
  • See also Richard Clarke On The Growing 'Cyberwar' Threat
  • April 19, 2010
    * NYT: Cyberattack on Google Said to Hit Password System

    Follow up to Google Announces "A new approach to China", from the New York Times: "Ever since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret. But a person with direct knowledge of the investigation now says that the losses included one of Google’s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company’s web services, including e-mail and business applications."

    April 12, 2010
    * NIST: Guide to Protecting the Confidentiality of Personally Identifiable Information

    NIST Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), Recommendations of the National Institute of Standards and Technology, Erika McCallister, Tim Grance, Karen Scarfone, April 2010.

  • "The escalation of security breaches involving personally identifiable information (PII) has contributed to the loss of millions of records over the past few years. Breaches involving PII are hazardous to both individuals and organizations. Individual harms may include identity theft, embarrassment, or blackmail. Organizational harms may include a loss of public trust, legal liability, or remediation costs. To appropriately protect the confidentiality of PII, organizations should use a risk-based approach; as McGeorge Bundy once stated, "If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds." This document provides guidelines for a risk-based approach to protecting the confidentiality of PII. The recommendations in this document are intended primarily for U.S. Federal government agencies and those who conduct business on behalf of the agencies,5 but other organizations may find portions of the publication useful. Each organization may be subject to a different combination of laws, regulations, and other mandates related to protecting PII, so an organization‘s legal counsel and privacy officer should be consulted to determine the current obligations for PII protection. For example, the Office of Management and Budget (OMB) has issued several memoranda with requirements for how Federal agencies must handle and protect PII. To effectively protect PII, organizations should implement the following recommendations."
  • * Federal Cyber Security Outlook for 2010

    "How well prepared are IT professionals within U.S. government agencies to respond to foreign cyber threats? Will government initiatives, such as the Comprehensive National Cybersecurity Initiative and the creation of the U.S. National Cybersecurity Coordinator role, be effective in addressing the challenges facing U.S. critical IT infrastructure? What is the impact of compliance on security within the federal IT environment? Commissioned by Lumension, Clarus Research Group set about to answer these and other important questions facing federal IT in Lumension’s Federal Cyber Security Outlook for 2010: National IT Security Challenges Mounting study. Clarus Research Group interviewed over 200 federal IT decision-makers and influencers about endpoint operations, IT security and compliance issues."

    * Letter Report for the Committee on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy

    "This report [by the Committee on Deterring Cyberattacks; National Research Council] is the first phase of a larger project to conduct a broad, multidisciplinary examination of deterrence strategies and their possible utility to the U.S. government in its policies toward preventing cyberattacks. This first phase identifies the key issues and questions that merit examination. The next phase will engage experts to prepare papers that address key issues and questions, including those posed here. This letter report provides basic information needed to understand the nature of the problem and to articulate important questions that can drive research regarding ways of more effectively preventing, discouraging, and inhibiting hostile activity against important U.S. information systems and networks."

    April 05, 2010
    * Shadows in the Cloud: Investigating Cyber Espionage 2.0

    Information Warfare Monitor: "The Information Warfare Monitor/ (Citizen Lab, Munk School of Global Affairs, University of Toronto and the SecDev Group, Ottawa) and the Shadowserver Foundation announce the release of Shadows in the Cloud: An investigation into cyber espionage 2.0. The report documents a complex ecosystem of cyber espionage that systematically targeted and compromised computer systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries."

  • New York Times: Researchers Trace Data Theft to Intruders in China

  • April 04, 2010
    * Gizmodo: How to Completely Erase Your Hard Drives, SSDs and Thumb Drives

    Follow up to postings on security issues and erasing hard drive, from Gizmodoa detailed article with accompanying screen shots and product references: "With stories abounding of identity theft aided by information lifted from discarded storage devices, you want devices you no longer plan to use to have no usable information when they head out the door. Here's how to wipe them clean...When you erase/delete a file from your computer, it's not really gone until the areas of the disk it used are overwritten by new information. If you use the normal Windows delete function, the "deleted" file is sent to the Recycle Bin until the space it uses is required by other files. If you use Shift-Delete to bypass the Recycle Bin, the space occupied by the file is marked as available for other files. However, the file could be recovered days or even weeks later with third-party data recovery software. As long as the operating system does not reuse the space occupied by a file with another file, the "deleted" file can be recovered."

    April 01, 2010
    * OnGuardOnline.gov Off to a Fast Start with Online Child Safety Campaign

    News release: "The Federal Trade Commission today reported to Congress that it is getting the word out about Internet safety for children by aggressively promoting a new booklet, Net Cetera: Chatting with Kids About Being Online, to schools, police and sheriff’s departments, and PTAs nationwide. Net Cetera explains to parents and their children how to deal with issues such as social networking, cyberbullying, using mobile phones safely, and protecting the family computer from badware. The booklet is practical, plain-language, and value-neutral, so all parents – regardless of whether they are technologically savvy – can use it to help their kids make better decisions about online behavior. It is the most recent addition to the OnGuardOnline.gov consumer education campaign, which helps people guard against Internet fraud, secure their computers, and protect their privacy."

    March 29, 2010
    * Identity Theft Resource Center - 2010 Breaches Occuring at Record Level

    Although many organizations do not report breaches on a timely basis, or in many instances, report them at all, the most recent Identity Theft Resource Center report reveals data protection remains a critical issue for organizations, especially financial services.

    March 26, 2010
    * Leader of Hacking Ring Sentenced for Massive Identity Thefts from Payment Processor and U.S. Retail Networks

    Follow up to Major International Hacker Pleads Guilty For Massive Attack On U.S. Retail And Banking Networks, this DOJ news release: "The leader of the largest hacking and identity theft ring ever prosecuted by the U.S. government has been sentenced to 20 years and one day in prison for his role in a series of hacks into a major payment processor and several retail networks, announced Assistant Attorney General for the Criminal Division Lanny A. Breuer; U.S. Attorney for the District of Massachusetts Carmen Milagros Ortiz; U.S. Attorney for the Eastern District of New York Benton J. Campbell; U.S. Attorney for the District of New Jersey Paul J. Fishman; and Director of the U.S. Secret Service Mark Sullivan."

    March 25, 2010
    * FTC Testifies on Efforts to Ensure Credit Report Accuracy, Prevent ID Theft, and Improve Credit Score Transparency

    News release: Prepared Statement of the Federal Trade Commission On Keeping Score on Credit Scores: An Overview of Credit Scores, Credit Reports and Their Impact on Consumers, Presented by David Vladeck, Director, Bureau of Consumer Protection, Before the Subcommittee On Financial Institutions and Consumer Credit of the Committee On Financial Services, United States House of Representatives (March 24, 2010)

  • Related postings on financial system
  • March 24, 2010
    * New GAO Reports: Information Security, Joint Strike Fighter, Veterans' Disability Benefits, Recovery Act
    • Information Security: Concerted Response Needed to Resolve Persistent Weaknesses, GAO-10-536T, March 24, 2010: "Without proper safeguards, federal computer systems are vulnerable to intrusions by individuals who have malicious intentions and can obtain sensitive information. The need for a vigilant approach to information security has been demonstrated by the pervasive and sustained cyber attacks against the United States; these attacks continue to pose a potentially devastating impact to systems as well as the operations and critical infrastructures that they support."
    • Joint Strike Fighter: Significant Challenges and Decisions Ahead, GAO-10-478T, March 24, 2010
    • Veterans' Disability Benefits: VA Has Improved Its Programs for Measuring Accuracy and Consistency, but Challenges Remain, GAO-10-530T, March 24, 2010
    • Recovery Act: Officials' Views Vary on Impacts of Davis-Bacon Act Prevailing Wage Provision, GAO-10-421, February 24, 2010
    March 23, 2010
    * Cisco 2009 Annual Security Report

    Cisco 2009 Annual Security Report Highlighting global security threats and trends: "The Cisco® Annual Security Report provides an overview of the combined security intelligence of the entire Cisco organization. The report encompasses threat information and trends collected between January and December 2009. It also provides a snapshot of the state of security for that period, with special attention paid to key security trends expected for 2010."

    March 22, 2010
    * Google Discontinues Censored Search in Mainland China

    Official Google Blog: "On January 12, we announced on this blog that Google and more than twenty other U.S. companies had been the victims of a sophisticated cyber attack originating from China, and that during our investigation into these attacks we had uncovered evidence to suggest that the Gmail accounts of dozens of human rights activists connected with China were being routinely accessed by third parties, most likely via phishing scams or malware placed on their computers. We also made clear that these attacks and the surveillance they uncovered—combined with attempts over the last year to further limit free speech on the web in China including the persistent blocking of websites such as Facebook, Twitter, YouTube, Google Docs and Blogger—had led us to conclude that we could no longer continue censoring our results on Google.cn. So earlier today we stopped censoring our search services—Google Search, Google News, and Google Images—on Google.cn. Users visiting Google.cn are now being redirected to Google.com.hk, where we are offering uncensored search in simplified Chinese, specifically designed for users in mainland China and delivered via our servers in Hong Kong. Users in Hong Kong will continue to receive their existing uncensored, traditional Chinese service, also from Google.com.hk."

  • BusinessWeek - Google Stops Censoring Web Search Results in China: Timeline
  • March 15, 2010
    * Internet Crime Complaint Center Annual Report

    News release: "The Internet Crime Complaint Center (IC3), a partnership between the FBI and the National White Collar Crime Center (NW3C), released the 2009 Annual Report about fraudulent activity on the Internet today. Online crime complaints increased substantially once again last year, according to the report. The IC3 received a total of 336,655 complaints, a 22.3 percent increase from 2008. The total loss linked to online fraud was $559.7 million; this is up from $265 million in 2008."

    March 09, 2010
    * FinCEN Provides Anti-Fraud Information for 12th Annual National Consumer Protection Week

    News release: "FinCEN joins with other Federal, State and Local government agencies and consumer protection organizations to recognize the 12th Annual National Consumer Protection Week (NCPW), March 7-13. This coordinated consumer education campaign encourages individuals across the country to take full advantage of their consumer rights. FinCEN provides a number of special resources to educate consumers, and the financial institutions that serve them, of potential fraud and scam attempts. FinCEN's rules help consumers by requiring financial institutions to be on the alert for illicit activity. Requirements that a financial institution know its customers can help both to provide better customer service and to prevent that customer from becoming a victim of fraud."

  • Information and "Red Flags" on Mortgage Fraud, Foreclosure Rescue Scams, and Insurance Products: http://www.fincen.gov/foreclosurerescue.html, and http://www.fincen.gov/mortgagefraud.html
  • March 08, 2010
    * M-Trends Report at U.S. Department of Defense: Cyber Crime Conference

    News release: "MANDIANT, the information security industry’s leading provider of incident response and computer forensics services and solutions, today announced formal distribution of its inaugural M-Trends report at the U.S. Department of Defense: Cyber Crime Conference 2010 in St. Louis. M-Trends spans seven years of lessons learned on the front lines of intrusion investigations for the U.S. government, defense industrial base and commercial organizations. The 29-page report details malware capabilities and techniques and other highly complex and sophisticated attack schemes used by the Advanced Persistent Threat (APT) across a breadth of organizations. Content presented in M-Trends has been derived by MANDIANT from unclassified environments and sanitized to protect victim identity and data."

    March 05, 2010
    * New GAO Reports: Cybersecurity, Recovery Act, Food Safety
    • Cybersecurity: Progress Made but Challenges Remain in Defining and Coordinating the Comprehensive National Initiative, GAO-10-338, March 05, 2010
    • Recovery Act: California's Use of Funds and Efforts to Ensure Accountability, GAO-10-467T, March 05, 2010
    • Food Safety: FDA Should Strengthen Its Oversight of Food Ingredients Determined to Be Generally Recognized as Safe (GRAS), GAO-10-246, February 03, 2010
    March 04, 2010
    * Declassified Version of U.S. Cybersecurity Plan Released by White House

    The Comprehensive National Cybersecurity Initiative: "President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, but one that we as a government or as a country are not adequately prepared to counter. Shortly after taking office, the President therefore ordered a thorough review of federal efforts to defend the U.S. information and communications infrastructure and the development of a comprehensive approach to securing America’s digital infrastructure In May 2009, the President accepted the recommendations of the resulting Cyberspace Policy Review, including the selection of an Executive Branch Cybersecurity Coordinator who will have regular access to the President. The Executive Branch was also directed to work closely with all key players in U.S. cybersecurity, including state and local governments and the private sector, to ensure an organized and unified response to future cyber incidents; strengthen public/private partnerships to find technology solutions that ensure U.S. security and prosperity; invest in the cutting-edge research and development necessary for the innovation and discovery to meet the digital challenges of our time; and begin a campaign to promote cybersecurity awareness and digital literacy from our boardrooms to our classrooms and begin to build the digital workforce of the 21st century. Finally, the President directed that these activities be conducted in a way that is consistent with ensuring the privacy rights and civil liberties guaranteed in the Constitution and cherished by all Americans."

    March 03, 2010
    * FTC, Partners Launch 12th National Consumer Protection Week

    News release: "The Federal Trade Commission and other government agencies and national consumer groups are sponsoring the 12th annual National Consumer Protection Week from March 7-13, 2010. The event is a coordinated consumer education campaign that encourages individuals across the country to take full advantage of their consumer rights. This year’s theme, Dollars & Sense: Rated “A” for All Ages, highlights the importance of using good consumer sense at every stage of life, from grade school to retirement. In keeping with the theme, the consumer education campaign features a Web site with a page for kids and parents, as well as games, videos, and links other Web sites that teach practical lessons about the role of business and government in everyday life. The site, www.consumer.gov/ncpw, provides information that encourages people to take full advantage of their consumer rights, and promotes free resources to help people protect their privacy, manage money and debt, avoid identity theft, understand credit and mortgages, and steer clear of frauds and scams."

    February 28, 2010
    * Study Ranks Top 20 Companies for Privacy in 2010, Facebook Drops Off List

    EPIC: "Ponemon Institute released its annual study identifying the top twenty companies that are most trusted for privacy. American Express was ranked first, earning the Most Trusted for Privacy distinction for the fifth year in a row. Facebook suffered several privacy missteps over the last year, including a recent change in privacy settings at the end of 2009, and as a result, failed to make the 2010 list. Google, however, returned to the Top 20, ranked at 13. The survey also produced significant findings regarding consumer attitudes towards privacy, including the finding that consumers feel they are losing control over their personal information. Further, the responses revealed that consumers’ fear of identity theft is the main factor for brand trust diminishment, while a company’s implementation of privacy features contribute to brand trust. Other significant positive factors were limits on the collection of personal information and online anonymity."

    * DOD Policy on Social Networking Services

    Directive-Type Memorandum (DTM) 09-026 - Responsible and Effective Use of Internet-based Capabilities, February 25, 2010

  • "This memorandum establishes DoD policy and assigns responsibilities for responsible and effective use of Internet-based capabilities, including social networking services (SNS) [Internet-based capabilities. All publicly accessible information capabilities and applications available across the Internet in locations not owned, operated, or controlled by the Department of Defense or the Federal Government. Internet-based capabilities include collaborative tools such as SNS, social media, user-generated content, social software, e-mail, instant messaging, and discussion forums (e.g., YouTube, Facebook, MySpace, Twitter, Google Apps)]. This policy recognizes that Internet-based capabilities are integral to operations across the Department of Defense.
  • The Non-Classified Internet Protocol Router Network (NIPRNET) shall be configured to provide access to Internet-based capabilities across all DoD Components. Commanders at all levels and Heads of DoD Components shall continue to defend against malicious activity affecting DoD networks (e.g., distributed denial of service attacks, intrusions) and take immediate and commensurate actions, as required, to safeguard missions (e.g., temporarily limiting access to the Internet to preserve operations security or to address bandwidth constraints)."
  • February 18, 2010
    * NetWitness Discovers Massive ZeuS Compromise

    News release: "NetWitness, the world leader in advanced persistent threat detection and real-time network forensics, announced today that its analysts have discovered a dangerous new ZeuS botnet affecting 75,000 systems in 2,500 organizations around the world. The newly-discovered infestation, dubbed the "Kneber botnet" after the username linking the infected systems worldwide, gathers login credentials to online financial systems, social networking sites and email systems from infested computers and reports the information to miscreants who can use it to break into accounts, steal corporate and government information, and replicate personal, online and financial identities. NetWitness first discovered the Kneber botnet in January during a routine deployment of the NetWitness advanced monitoring solutions. Deeper investigation revealed an extensive compromise of commercial and government systems that included 68,000 corporate login credentials, access to email systems, online banking sites, Facebook, Yahoo, Hotmail and other social networking credentials, 2,000 SSL certificate files, and dossier-level data sets on individuals including complete dumps of entire identities from victim machines."

  • The “Kneber” BotNet - A ZeuS Discovery and Analysis: At its core, ZeuS is a botnet system designed to steal information from an infected host. Unlike a traditional keylogger system, which records every keystroke, ZeuS can specifically target information desired by the criminal miscreant."
  • February 16, 2010
    * Security Labs Report Jul 2009-Dec 2009 Recap

    Security Labs Report Jul 2009-Dec 2009 Recap - "This report has been prepared by the M86 Security Labs team. It covers key trends and developments in Internet security over the last six months, as observed by the security analysts at M86 Security Labs. M86 Security Labs is a group of security analysts specializing in Email and Web threats, from spam to malware.
    Key Points of this report:

  • Spam volumes increased dramatically in 2009, to over 200 billion per day with the vast majority sent through Botnets of infected computers. In the second half of 2009, 78% of all spam originated from the top 5 botnets alone by volume.
  • Malicious spam dramatically increased in volume, reaching 3 billion messages per day, compared to 600 million messages per day in the first half of 2009.
  • Even with adequate protection from Antivirus software, Zero Day Vulnerabilities left users vulnerable to potential attacks 40% of the time (in the 2nd half of 2009)."
  • February 13, 2010
    * 2010 Identity Fraud Survey Report: Identity Fraud Continues to Rise

    2010 Identity Fraud Survey Report: Consumer Version

  • "More than 11 million adult consumers became victims of identity fraud in 2009, up from nearly 10 million in 2008. The number of fraud victims rose for the second year in a row. On the other hand, victims’ out-of-pocket costs and the time required to resolve fraud have decreased. Out-of-pocket costs can include unreimbursed losses, lost wages due to time taken off work, and possible legal fees for those victims attempting to prosecute. Banks have stepped up their efforts in counteracting fraud and minimizing the cost and inconvenience suffered by consumers. Most victims don’t experience any out-of-pocket costs, but those who did suffered an average cost of $373. The average time to resolve the fraud for these victims was 21 hours. Due to the zero-liability fraud protection offered by most banks and credit card companies, most victims will only have to pay out-of-pocket expenses to cover their time in resolving fraud, not for reimbursing fraudulent charges...This report provides easy to follow guidelines and recommendations for consumers to protect themselves against this $54 billion crime."

  • February 04, 2010
    * FTC Testifies About Stepped-Up Efforts to Protect Consumers Affected by the Economic Downturn

    News release: "The Federal Trade Commission today told the U.S. Senate Committee on Commerce, Science and Transportation that the agency has stepped up efforts to protect consumers affected by the economic downtown, and that additional authority would make the agency even more effective. The testimony presented by FTC Chairman Jon Leibowitz described the agency’s efforts to prosecute financial fraud and deception, including working with states to bring hundreds of cases against mortgage relief scams in 2009. The testimony also discussed the FTC’s rulemaking and consumer education initiatives, how additional authority will enhance the agency’s effectiveness, and the FTC’s perspective on recent proposals to create a consumer financial protection agency as part of a broader reform of the financial services regulatory system."

  • Related postings on financial system
  • February 02, 2010
    * Annual Threat Assessment of the US Intelligence Community for the Senate Select Committee on Intelligence

    Annual Threat Assessment of the US Intelligence Community for the Senate Select Committee on Intelligence, Dennis C. Blair, Director of National Intelligence, February 2, 2010

  • "The national security of the United States, our economic prosperity, and the daily functioning of our government are dependent on a dynamic public and private information infrastructure, which includes telecommunications, computer networks and systems, and the information residing within. This critical infrastructure is severely threatened. This cyber domain is exponentially expanding our ability to create and share knowledge, but it is also enabling those who would steal, corrupt, harm or destroy the public and private assets vital to our national interests. The recent intrusions reported by Google are a stark reminder of the importance of these cyber assets, and a wake-up call to those who have not taken this problem seriously. Companies who promptly report cyber intrusions to government authorities greatly help us to understand and address the range of cyber threats that face us all. I am here today to stress that, acting independently, neither the US Government nor the private sector can fully control or protect the country’s information infrastructure. Yet, with increased national attention and investment in cyber security initiatives, I am confident the United States can implement measures to mitigate this negative situation."
  • * Phishing Activity Trends Report, 3rd Quarter / 2009

    The quarterly APWG (AntiPhishing Working Group) Phishing Activity Trends Report analyzes phishing attacks reported to the APWG by its member companies, its Global Research Partners, through the organization’s website and by email submissions. APWG also measures the evolution, proliferation and propagation of crimeware drawing from the research of our member companies. In the last half of this report you will find tabulations of crimeware statistics and related analyses."

    January 31, 2010
    * Information Society Statistical Profiles 2009: Arab States

    News release: Arab States define key ICT development priorities Broadband, digital broadcasting, open source software, Arab digital content and cybersecurity are main objectives. "The Arab States Regional Preparatory Meeting (RPM) for the International Telecommunications Union (ITU) World Telecommunication Development Conference 2010 (WTDC-10) concluded on Tuesday, 19 January in Damascus, Syrian Arab Republic, with delegates reaching consensus on regional strategies to foster the development of information and communication technologies (ICTs)."

    • Information Society Statistical Profiles 2009: Arab States - "Over the past decade, the Arab States region has made significant progress when it comes to ICT access and use. In the mobile market, a number of national operators have expanded their services to customers across and beyond the region. Mobile telephony has grown at an annual rate of 55 per cent, reaching a penetration level of 63 per cent at the end of 2008. There are now 16 Internet users per 100 inhabitants, compared to only 4 in 2003. Nevertheless, compared to other regions, Internet usage, and particular broadband access, is still rather limited and out of the reach of most people in the region, in particular those living in rural areas."
    • See also Presentation, Information Society Statistical Profiles 2009 Arab States, Damascus, Syria, 17-19 January 2010

    * McAfee, Inc. Report Reveals Critical Infrastructure Under Constant Cyberattack Causing Widespread Damage

    News release: "McAfee, Inc. revealed [at the World Economic Forum Annual Meeting 2010] the staggering cost and impact of cyberattacks on critical infrastructure such as electrical grids, oil and gas production, telecommunications and transportation networks. A survey of 600 IT security executives from critical infrastructure enterprises worldwide showed that more than half (54%) have already suffered large scale attacks or stealthy infiltrations from organized crime gangs, terrorists or nation-states. The average estimated cost of downtime associated with a major incident is $6.3 million per day. The report, In the Crossfire: Critical Infrastructure in the Age of Cyberwar, commissioned by McAfee and authored by the Center for Strategic and International Studies (CSIS), also found that the risk of cyberattack is rising. Despite a growing body of legislation and regulation, more than a third of IT executives (37%) said the vulnerability of their sector had increased over the past 12 months and two-fifths expect a major security incident in their sector within the next year. Only 20% think their sector is safe from serious cyberattack over the next five years."

    January 29, 2010
    * Navy Establishes U.S. Fleet Cyber Command at Fort Meade, MD

    OPNAV NOTICE 5400, January 11, 2010: "Action will establish U. S. Fleet Cyber Command as an echelon II command to serve as the Navy Component Commander to United States Cyber Command upon its establishment. Interim reporting will be to United States Strategic Command. Command will provide for operational employment of the Navy's cyber, network operations, information operations, cryptologic and space forces, and serve as the Navy's Service Cryptologic Component Commander to the National Security Agency. U.S. Tenth Fleet. will be re-commissioned to control operations supporting U. S. Fleet Cyber Command.

  • Mission: To direct Navy cyberspace operations globally to deter and defeat aqgression and to ensure freedom of action achieve military objectives in and through cyberspace; to organize and direct Navy cryptologic operations worldwide and support information operations (IO) and space planning and operations, as directed; to execute cyber missions as directed by USCYBERCOM; to direct, operate, maintain, secure and defend the Navy's portion of the Global Information Grid (GIG); to deliver integrated cyber, 10, cryptologic and space capabilities; to deliver global Navy cyber network common operational picture; and to develop, coordinate and assess Navy cyber operational requirements."
  • January 27, 2010
    * Investigative Report - US oil industry hit by cyberattacks

    Christian Science Monitor: "At least three US oil companies were the target of a series of previously undisclosed cyberattacks that may have originated in China and that experts say highlight a new level of sophistication in the growing global war of Internet espionage. The oil and gas industry breaches, the mere existence of which has been a closely guarded secret of oil companies and federal authorities, were focused on one of the crown jewels of the industry: valuable “bid data” detailing the quantity, value, and location of oil discoveries worldwide, sources familiar with the attacks say and documents obtained by the Monitor show. The companies – Marathon Oil, ExxonMobil, and ConocoPhillips – didn’t realize the full extent of the attacks, which occurred in 2008, until the FBI alerted them that year and in early 2009. Federal officials told the companies proprietary information had been flowing out, including to computers overseas, a source familiar with the attacks says and documents show. The data included e-mail passwords, messages, and other information tied to executives with access to proprietary exploration and discovery information, the source says."

  • See also, Remarks on Internet Freedom, Hillary Rodham Clinton, Secretary of State, January 21, 2010: "States, terrorists, and those who would act as their proxies must know that the United States will protect our networks. Those who disrupt the free flow of information in our society or any other pose a threat to our economy, our government, and our civil society. Countries or individuals that engage in cyber attacks should face consequences and international condemnation. In an internet-connected world, an attack on one nation’s networks can be an attack on all. And by reinforcing that message, we can create norms of behavior among states and encourage respect for the global networked commons."
  • January 26, 2010
    * Ponemon 2009 Annual Study: Cost of a Data Breach

    "This 2009 Ponemon Institute 2009 Annual Study: Cost of a Data Breach - Understanding Financial Impact, Customer Turnover, and Preventive Solutions examines the costs incurred by 45 organizations after experiencing a data breach. Results were not hypothetical responses; they represent the cost estimates of activities resulting from the actual data loss incidents. This is the fifth annual survey of this issues. Breaches included in the survey included ranged from approximately 5,000 records to more than 101,000 records from 15 different industry sectors."

    January 19, 2010
    * Global Risks 2010 A Global Risk Network Report

    Global Risks 2010 - A Global Risk Network Report. A World Economic Forum Report in collaboration with Citi, Marsh & McLennan Companies (MMC), Swiss Re, Wharton School Risk Center, Zurich Financial Services. January 2010.

  • "This year’s report explores a set of risks that share a potential for wider systemic impact and are strongly linked to a number of significant, long-term trends. First, there are those which feature highly on the Global Risks Landscape and which predated the recession but have been exacerbated by its impact through greater resources constraints or short-term thinking. These include:
    • Fiscal crises and the social and political implications of high unemployment
    • Underinvestment in infrastructure, both new and existing, and its consequences for growth, resource scarcity and climate change adaptation
    • Chronic diseases and their impact on both advanced economies and developing countries....other risks include: transnational crime and corruption; biodiversity loss; and cyber-vulnerability."
    • Related postings on financial system
  • January 12, 2010
    * Google Announces "A new approach to China"

    Official Google Blog:

  • "In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident--albeit a significant one--was something quite different...We launched Google.cn in January 2006 in the belief that the benefits of increased access to information for people in China and a more open Internet outweighed our discomfort in agreeing to censor some results. At the time we made clear that "we will carefully monitor conditions in China, including new laws and other restrictions on our services. If we determine that we are unable to achieve the objectives outlined we will not hesitate to reconsider our approach to China." These attacks and the surveillance they have uncovered--combined with the attempts over the past year to further limit free speech on the web--have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China."
  • January 11, 2010
    * Panda Security Publishes Virus Yearbook 2009

    Annual Report PandaLabs 2009

  • "The last 12 months really have marked a turning point in the history of IT security. This has been for several reasons, yet without doubt the main one has been the way in which criminal organizations have consolidated underground business models. In 2009, hackers have made more money than in any previous year, underlined not least by the total number of new and different malware samples received by PandaLabs throughout the year, exceeding by far the forecasts we made in 2008. At time of writing, there are over 40 million malware samples in our Collective Intelligence system, and we are still receiving an average of 55,000 new samples every day. This trend, which began in 2008 and has been consolidated in 2009, will continue to determine the daytoday activity of anti-malware laboratories during 2010...In this report we will take a look at how malware is evolving worldwide and we will try to analyze the main trends of 2010. Without revealing too much, let’s just say the future doesn’t look too bright."
  • January 05, 2010
    * McAfee Labs Predicts Facebook, Twitter Will Be Platforms of Choice for Emerging Threats

    News release: "McAfee Inc. unveiled its 2010 Threat Predictions report. McAfee Labs believes cybercriminals will target social networking sites and third-party applications, use more complex Trojans and botnets to build and execute attacks, and take advantage of HTML 5 to create emerging threats. McAfee Labs also predicts 2010 will be a good year for law enforcement’s fight against cybercrime...Facebook, Twitter, and third-party applications on these sites are rapidly changing the criminal toolkit, giving cybercriminals new technologies to work with and hot spots of activity that can be exploited. Users will become more vulnerable to attacks that blindly distribute rogue apps across their networks, and cybercriminals will take advantage of friends trusting friends to get users to click on links they might otherwise treat cautiously. The use of abbreviated URLs on sites like Twitter make it even easier for cybercriminals to mask and direct users to malicious Web sites. McAfee Labs predicts that cybercriminals will increasingly use these tactics across the most popular social networking sites in 2010."

    January 03, 2010
    * Growth of Cloud Computing and Parallel Security Risks

    Security in the Ether - Information technology's next grand challenge will be to secure the cloud--and prove we can trust it. By David Talbot, Technology Review, January/February 2010 [Dan Mitchel]

  • "In 2006, when Amazon introduced the Elastic Compute Cloud (EC2), it was a watershed event in the quest to transform computing into a ubiquitous utility, like electricity. Suddenly, anyone could scroll through an online menu, whip out a credit card, and hire as much computational horsepower as necessary, paying for it at a fixed rate...Those systems would run on "virtual machines" that could be created and configured in an instant, disappearing just as fast when no longer needed. As their needs grew, clients could simply put more quarters into the meters. Amazon would take care of hassles like maintaining the data center and network. The virtual machines would, of course, run inside real ones: the thousands of humming, blinking servers clustered in Amazon's data centers around the world. The cloud computing service was efficient, cheap, and equally accessible to individuals, companies, research labs, and government agencies. But it also posed a potential threat. EC2 brought to the masses something once confined mainly to corporate IT systems: engineering in which Oz-like programs called hypervisors create and control virtual processors, networks, and disk drives, many of which may operate on the same physical servers."
  • Related postings on cloud computing
  • * Major International Hacker Pleads Guilty For Massive Attack On U.S. Retail And Banking Networks

    News release: "Albert Gonzalez, 28, of Miami, pleaded guilty today to conspiring to hack into computer networks supporting major American retail and financial organizations, and to steal data relating to tens of millions of credit and debit cards, announced Assistant Attorney General of the Criminal Division Lanny A. Breuer, U.S. Attorney for the District of New Jersey Paul J. Fishman, U.S. Attorney for the District of Massachusetts Carmen Milagros Ortiz and Director of the U.S. Secret Service Mark Sullivan. Gonzalez, aka “segvec,” “soupnazi” and “j4guar17,” pleaded guilty to two counts of conspiracy to gain unauthorized access to the payment card networks operated by, among others, Heartland Payment Systems, a New Jersey-based card processor; 7-Eleven, a Texas-based nationwide convenience store chain; and Hannaford Brothers Co. Inc., a Maine-based supermarket chain. The plea was entered in federal court in Boston before U.S. District Court Judge Douglas P. Woodlock. The case is one of the largest data breaches ever investigated and prosecuted in the United States."

    December 31, 2009
    * FTC, Partners Launch Consumer Protection Week Web Site, Blog

    News release: "The Federal Trade Commission has launched its Web site and blog for National Consumer Protection Week 2010, which will be held March 7-13. Consumer.gov/ncpw, encourages people to learn about their rights as consumers, and promotes free resources to help them protect their privacy, manage money and debt, avoid identity theft, understand credit and mortgages, and steer clear of frauds and scams. The twelfth annual consumer protection week is a partnership between the FTC and other government agencies and consumer groups. This year’s theme, Dollars & Sense: Rated “A” for All Ages, highlights the importance of using good consumer sense at every stage of life – from grade school to retirement. The site for the event features a page for kids and parents, and highlights games, videos, and other Web sites that teach kids practical lessons about the role of business and government in their everyday lives."

    * FTC Issues Staff Report on Agency's Fraud Forum

    News release: "The Federal Trade Commission today issued a Fraud Forum staff report that examines more effective ways to protect consumers from fraudulent schemes and focus the collective knowledge and experience of forum participants to fight fraud. The February 2009 Forum was attended by academics, consumer advocates, industry representatives, and state and federal law enforcers. The Fraud Forum Report summarizes information presented at the event during panel and small group discussions on a range of issues including: the psychology of scammers and their victims, fraud statistics, under-reported fraud, and the role of private industry in detecting and preventing fraud."

  • A Staff Report On The Federal Trade Commission’s Fraud Forum By The Commission’s Division of Marketing Practices (December 2009)
  • December 19, 2009
    * NIST: Draft Security Requirements for Cryptographic Modules

    DRAFT Security Requirements for Cryptographic Modules (Revised Draft): "The Revised Draft FIPS 140-3 is the second public draft of NIST’s proposed revision of FIPS 140-2. The Revised Draft was developed using the comments received on the first public draft, which was posted for public review and comment on July 13, 2007, and the FIPS 140-3 Software Security Workshop held on March 18, 2008. While the 2007 Draft proposed 5 levels of security, the Revised Draft FIPS 140-3 reverts to 4 levels of security as currently specified in FIPS 140-2. In contrast to the 2007 Draft, the Revised Draft also reintroduces the notion of firmware cryptographic module and defines the security requirements for it, limits the overall security level for software cryptographic modules to Security Level 2, and removes the formal model requirement at Security Level 4. Differences with the current FIPS 140-2 standard include limiting the overall security level for software cryptographic modules to Security Level 2, requirements for mitigation of non-invasive attacks at higher security levels, elimination of the requirement for formal modeling at Security Level 4, modified conditions for pre-operational/power-on self-tests, and strengthened integrity testing."

    December 18, 2009
    * Cybersafety Booklet for Parents and Kids Now Available

    News release: "A new booklet released today by the Federal Trade Commission and other government agencies helps parents and teachers steer kids safely through the online and mobile phone worlds. Net Cetera: Chatting with Kids About Being Online was unveiled...by FTC Chairman Jon Leibowitz, U.S. Secretary of Education Arne Duncan, and Federal Communications Commission Chairman Julius Genachowski."

    December 15, 2009
    * FTC Issues Report to Congress on Use of its Enhanced Authority Under the U.S. SAFE WEB Act

    News release: "The Federal Trade Commission has issued a report to Congress examining how the agency has used the expanded law enforcement authority Congress provided in the U.S. SAFE WEB Act to protect American consumers since the Act was signed into law on December 22, 2006. The SAFE WEB Act authorizes the FTC to share information and work cooperatively with foreign law enforcement agencies to protect consumers from cross-border harm."

  • The U.S. SAFE WEB Act: The First Three Years: A Federal Trade Commission Report to Congress (December 2009)
  • December 09, 2009
    * FTC Exploring Privacy Roundtable Series

    "The Federal Trade Commission [is hosting] a series of day-long public roundtable discussions to explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data. Such practices include social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The goal of the roundtables is to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation." Via EPIC, The second privacy roundtable will be held on Data Privacy Day - January 28, 2010 - at the University of California, Berkeley School of Law.

  • FTC Privacy Initiatives Website
  • December 06, 2009
    * Implementing the Obama Cyber Security Strategy via the ISA Social Contract Model

    Implementing the Obama Cyber Security Strategy via the ISA Social Contract Model: "The Internet Security Alliance (ISA) report aimed at taking the Obama Administration’s Cyberspace Policy Review document to the next level. The report emphasizes the need to focus on the economics of cyber security."

    November 03, 2009
    * Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities

    "The United States is increasingly dependent on information and information technology for both civilian and military purposes, as are many other nations. Although there is a substantial literature on the potential impact of a cyberattack on the societal infrastructure of the United States, little has been written about the use of cyberattack as an instrument of U.S. policy. Cyberattacks--actions intended to damage adversary computer systems or networks--can be used for a variety of military purposes. But they also have application to certain missions of the intelligence community, such as covert action. They may be useful for certain domestic law enforcement purposes, and some analysts believe that they might be useful for certain private sector entities who are themselves under cyberattack. This report considers all of these applications from an integrated perspective that ties together technology, policy, legal, and ethical issues. Focusing on the use of cyberattack as an instrument of U.S. national policy, Technology, Policy, Law and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities explores important characteristics of cyberattack. It describes the current international and domestic legal structure as it might apply to cyberattack, and considers analogies to other domains of conflict to develop relevant insights. Of special interest to the military, intelligence, law enforcement, and homeland security communities, this report is also an essential point of departure for nongovernmental researchers interested in this rarely discussed topic."

    October 31, 2009
    * Report - Lost Laptops: More Expensive Than You Think

    "New research quantifies the primary factors driving the cost of a lost or stolen laptop. Learn from Intel IT’s best practices."

  • "To better understand the range of potential outcomes, the Ponemon Institute compiled data on 138 instances of laptop loss or theft within a 12-month period by the employees, temporary employees, and subcontractors of a representative sample of U.S. businesses."
  • * Global Fraud Report Annual Edition 2009/2010

    Global Fraud Report Annual Edition 2009/2010

  • "Kroll commissioned The Economist Intelligence Unit to conduct a worldwide survey on fraud and its effect on business during 2009. A total of 729 senior executives took part in this survey. A little over a third of the respondents were based in North and South America, 25% in Asia-Pacific, just over a quarter in Europe and 11% in the Middle East and Africa. Ten industries were covered, with no fewer than 50 respondents drawn from each industry. The highest number of respondents came from the financial services industry (12%). A total of 46% of the companies polled had global annual revenues in excess of $1billion. This report brings together these survey results with the experience and expertise of Kroll and a selection of its affiliates. It includes content written by The Economist Intelligence Unit and other third parties."
  • October 28, 2009
    * New GAO Reports: 401(K) Plans, Higher Education and Disability, DOD Human Capital, NextGen Air Transport, Cyber Security
    • 401(K) Plans: Several Factors Can Diminish Retirement Savings, but Automatic Enrollment Shows Promise for Increasing Participation and Savings, GAO-10-153T, October 28, 2009
    • Higher Education and Disability: Education Needs a Coordinated Approach to Improve Its Assistance to Schools in Supporting Students, GAO-10-33, October 28, 2009
    • Human Capital: Monitoring of Safeguards and Addressing Employee Perceptions Are Key to Implementing a Civilian Performance Management System in DOD, GAO-10-102, October 28, 2009
    • Next Generation Air Transportation System: FAA Faces Challenges in Responding to Task Force Recommendations, GAO-10-188T, October 28, 2009
    • Critical Infrastructure Protection: Current Cyber Sector-Specific Planning Approach Needs Reassessment, GAO-09-969, September 24, 2009
    October 22, 2009
    * DOE OIG - The Agency's Unclassified Cyber Security Program 2009

    Evaluation Report, The Department's Unclassified, Cyber Security Program - 2009. DOE/IG-0828 October 2009

  • "Industry experts report that security challenges and threats are continually evolving as malicious activity has become more web-based and attackers are able to rapidly adapt their attack methods. In addition, the number of data breaches continues to rise. In an effort to mitigate and address threats and protect valuable information, the Department of Energy anticipated spending about $275 million in Fiscal Year (FY) 2009 to implement cyber security measures necessary to protect its information technology resources. These systems and data are designed to support the Department's mission and business lines of energy security, nuclear security, scientific discovery and innovation, and environmental responsibility."
  • October 19, 2009
    * Consumer Data Broker ChoicePoint Failed to Protect Consumers' Personal Data

    News release: "ChoicePoint, Inc., one of the nation’s largest data brokers, has agreed to strengthened data security requirements to settle Federal Trade Commission charges that the company failed to implement a comprehensive information security program protecting consumers’ sensitive information, as required by a previous court order. This failure left the door open to a data breach in 2008 that compromised the personal information of 13,750 people and put them at risk of identify theft. ChoicePoint has now agreed to a modified court order that expands its data security assessment and reporting duties and requires the company to pay $275,000. In April 2008, ChoicePoint (now a subsidiary of Reed Elsevier, Inc.) turned off a key electronic security tool used to monitor access to one of its databases, and for four months failed to detect that the security tool was off, according to the FTC. During that period, an unknown person conducted unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers. The searches continued for 30 days. After discovering the breach, the company brought the matter to the FTC’s attention."

    October 13, 2009
    * Rand: Cyberdeterrence and cyberwar

    Cyberdeterrence and cyberwar, by Martin C. Libicki: "This monograph presents the results of a fiscal year 2008 study, “Defining and Implementing Cyber Command and Cyber Warfare.” It discusses the use and limits of power in cyberspace, which has been likened to a medium of potential conflict, much as the air and space domains are. The study was conducted to help clarify and focus attention on the operational realities behind the phrase “fly and fight in cyberspace.” The basic message is simple: Cyberspace is its own medium with its own rules. Cyberattacks, for instance, are enabled not through the generation of force but by the exploitation of the enemy’s vulnerabilities. Permanent effects are hard to produce. The medium is fraught with ambiguities about who attacked and why, about what they achieved and whether they can do so again. Something that works today may not work tomorrow (indeed, precisely because it did work today). Thus, deterrence and warfighting tenets established in other media do not necessarily translate reliably into cyberspace. Such tenets must be rethought. This monograph is an attempt to start this rethinking."

    October 12, 2009
    October 07, 2009
    * FBI - Major Cyber Fraud Takedown

    FBI news release: "The largest number of defendants ever charged in a cyber crime case have been indicted in a multinational investigation conducted in the United States and Egypt that uncovered a sophisticated “phishing” operation that fraudulently collected personal information from thousands of victims that was used to defraud American banks. [October 7, 2009], authorities in several United States cities arrested 33 of 53 defendants named in an indictment returned last week by a federal grand jury in Los Angeles. Several defendants charged in the indictment are being sought this morning by law enforcement. Additionally, authorities in Egypt have charged 47 defendants linked to the phishing scheme. The United States government is extremely grateful for the extraordinary assistance provided by the Egyptian government in this matter."

  • Citing Cybercrime, FBI Director Doesn't Bank Online: "The head of the U.S. Federal Bureau of Investigation has stopped banking online after nearly falling for a phishing attempt."
  • October 04, 2009
    * Cyber In-Security: Strengthening the Federal Cybersecurity Workforce

    "The U.S. is facing a cyber war. Foreign powers, criminal groups, hackers, and terrorist organizations have launched cyber attacks on the White House, Pentagon, State Department, and New York Stock Exchange; stolen data from the Pentagon’s fighter aircraft; and hacked into the nation’s electrical grid. There were millions of attempts to penetrate defense digital networks in 2008. In 2009, the General Accountability Office reported weaknesses in the capabilities of 23 of 24 federal agencies to detect or prevent cyber attacks. President Obama declared cybersecurity to be one of the nation’s most serious economic and security challenges. The federal government needs a coordinated, sustained effort to build the capability and caliber of the government’s cybersecurity workforce to combat these threats and ensure the nation’s safety. Booz Allen Hamilton and the Partnership for Public Service examined the state of the federal cybersecurity workforce by interviewing federal experts, examining public testimony and reports, holding focus groups, and surveying chief information officers (CIOs), chief information security officers (CISOs), and human resource professionals at 18 federal agencies. Results of this research were published in the study, Cyber In-Security: Strengthening the Federal Cybersecurity Workforce."

    October 02, 2009
    * UK Cybercrime Report 2009

    UK Cybercrime Report 2009

  • "UK cybercrime has rebounded to worrying levels, not seen since 2006, as a result of the recession and consumer complacency, according to Garlik’s annual UK Cybercrime report, now in its third year. The report, which analyses publicly available data to build a comprehensive view of cybercrime in the UK, revealed that during 2008 cybercriminals adapted to the social and economic changes in the UK to exploit victims in new ways and commit over 3.6 million criminal acts online (that’s over one every 10 seconds). In addition, the researchers believe that there is a growing complacency amongst consumers, demonstrating poor understanding of their responsibility to protect their personal information against fraud. One of the most significant changes in cybercrime has been the 207% increase in account takeover fraud indicating that criminals have now shifted their efforts from opening new accounts with stolen identities to accessing existing accounts. Savvy criminals have got round the drying up of available credit in the current economic climate to maintain their illegal activities. The report also highlights that online banking fraud has increased by a staggering 132%, with losses totalling £52.5 million, compared to £22.6 million in the previous year. This sharp rise can be mostly attributed to nearly 44,000 phishing websites specifically targeting banks and building societies in the UK. The total number of cybercrimes has increased annually between 2006 and 2008, however, the good news is that sexual offences have decreased as a category each year. All other categories dipped in 2007 but then in 2008 bounced back above their 2006 figure."
  • October 01, 2009
    * National Cybersecurity Awareness Month

    National Cybersecurity Awareness Month: "October marks the sixth annual National Cybersecurity Awareness Month sponsored by the Department of Homeland Security. The theme for National Cybersecurity Awareness Month 2009 is “Our Shared Responsibility” to reinforce the message that all computer users, not just industry and government, have a responsibility to practice good “cyber hygiene” and to protect themselves and their families at home, at work and at school. Americans can follow a few simple steps to keep themselves safe online. By doing so, you will not only keep your personal assets and information secure but you will also help to improve the overall security of cyberspace."

    September 19, 2009
    * Legality of Intrusion-Detection System To Protect Unclassified Computers Networks In Executive Branch

    In following this January 9, 2009 memo, Legal Issues Relating to the Testing, Use and Deployment of an Intrusion-Detection System (EINSTEIN 2.0) to Protect Unclassified Computer Networks in the Executive Branch, this DOJ memo released September 18, 2009: Legality of Intrusion-Detection System To Protect Unclassified Computers Networks In Executive Branch - "Operation of the EINSTEIN 2.0 intrusion-detection system complies with the Fourth Amendment to the Constitution, title III of the Omnibus Crime Control and Safe Streets Act of 1968, the Foreign Intelligence Surveillance Act, the Stored Communications Act, and the pen register and trap and trace provisions of chapter 206 of title 18, United States Code, provided that certain log-on banners or computer-user agreements are consistently adopted, implemented, and enforced by executive departments and agencies using the system. Operation of the EINSTEIN 2.0 system also does not run afoul of state wiretapping or communications privacy laws."

  • Department of Homeland Security Privacy Impact Assessment EINSTEIN 2, May 19, 2008. United States Computer Emergency Readiness Team (US-CERT): "EINSTEIN 2, will incorporate network intrusion detection technology capable of alerting the United States Computer Emergency Readiness Team (US‐CERT) to the presence of malicious or potentially harmful computer network activity in federal executive agencies’ network traffic. EINSTEIN 2 principally relies on commercially available intrusion detection capabilities to increase the situational awareness of the US‐CERT. This network intrusion detection technology uses a set of pre‐defined signatures based upon known malicious network traffic."
  • September 16, 2009
    * Google Buys reCAPTCHA - free anti-bot service that helps digitize books.

    "reCAPTCHA is a free CAPTCHA service that helps to digitize books, newspapers and old time radio shows...A CAPTCHA is a program that can tell whether its user is a human or a computer. You've probably seen them — colorful images with distorted text at the bottom of Web registration forms. CAPTCHAs are used by many websites to prevent abuse from "bots," or automated programs usually written to generate spam. No computer program can read distorted text as well as humans can, so bots cannot navigate sites protected by CAPTCHAs."

  • Official Google Blog - Teaching computers to read: Google acquires reCAPTCHA
  • September 13, 2009
    * Senators Lieberman, Collins Point to Cybercrime Epidemic

    News release: "Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, ID-Conn., and Ranking Member Susan Collins, R-Me., Sunday said the latest trend in cybercrime is directed at small to medium sized companies that have been robbed of both data and dollars...The thieves steal in amounts under $10,000 to avoid triggering a bank report required by anti-money laundering law. The malware is so well written that the traffic seems to be coming from an authorized computer – and possibly is a legitimate computer that has been commandeered. The money is then transferred to “money mules” who may have been recruited over internet job boards or who have posted resumes on a job listing serviceThe Committee will hold a hearing September 14, 2009, Cyber Attacks: Protecting Industry Against Growing Threats, to examine this new trend, and the Senators plan to introduce broad cyber security legislation later this fall that will improve cyber security in the private sector."

    September 11, 2009
    * International Hacker Pleads Guilty for Massive Hacks of U.S. Retail Networks

    Follow up to August 1, 2009 posting - Alleged International Hacker Indicted for Massive Attack on U.S. Retail and Banking Networks - today's news release: "An international computer hacker pleaded guilty today to multiple charges relating to hacking activity and credit card fraud, announced Assistant Attorney General of the Criminal Division Lanny A. Breuer, Acting U.S. Attorney for the District of Massachusetts Michael Loucks, U.S. Attorney for the Eastern District of New York Benton J. Campbell and Director of the U.S. Secret Service Mark Sullivan. More than 40 million credit and debit card numbers were stolen from major U.S. retailers as a result of the hacking activity. Albert Gonzalez, 28, of Miami, pleaded guilty today to 19 counts of conspiracy, computer fraud, wire fraud, access device fraud and aggravated identity theft relating to hacks into numerous major U.S. retailers including TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority. Gonzalez was indicted in August 2008 in the District of Massachusetts on charges related to these hacks."

    August 20, 2009
    * New Release Identifies Proliferation of ID Theft Malware

    "PandaLabs issued a release on the proliferation of identity theft malware during times of economic crisis. Our research found that the number of users affected by malware designed for identity theft has increased 600 percent this year compared to the same time in 2008. PandaLabs receives nearly 37,000 samples of new viruses, worms, Trojans and other types of Internet threats each day. Of these, 71 percent are Trojans, mostly aimed at stealing bank details or credit card numbers, as well as passwords for other commercial services. Between January and July 2009, PandaLabs received 11 million new threats, approximately 8 million of which were Trojans. This is in clear contrast, for example, to the average of 51 percent of new Trojans that PandaLabs received in 2007."

    August 17, 2009
    * Alleged International Hacker Indicted for Massive Attack on U.S. Retail and Banking Networks

    News release: "Albert Gonzalez, 28, of Miami, Fla., was indicted today for conspiring to hack into computer networks supporting major American retail and financial organizations, and stealing data relating to more than 130 million credit and debit cards, announced Assistant Attorney General of the Criminal Division Lanny A. Breuer, Acting U.S. Attorney for the District of New Jersey Ralph J. Marra Jr. and U.S. Secret Service Assistant Director for Investigations Michael Merritt...The indictment, which details the largest alleged credit and debit card data breach ever charged in the United States, alleges that beginning in October 2006, Gonzalez and his co-conspirators researched the credit and debit card systems used by their victims; devised a sophisticated attack to penetrate their networks and steal credit and debit card data; and then sent that data to computer servers they operated in California, Illinois, Latvia, the Netherlands and Ukraine. The indictment also alleges Gonzalez and his co-conspirators also used sophisticated hacker techniques to cover their tracks and to avoid detection by anti-virus software used by their victims."

    August 05, 2009
    * Remarks by Secretary Napolitano at the Global Cyber Security Conference

    Remarks by Secretary Napolitano at the Global Cyber Security Conference, August 4, 2009: "We have to look at the landscape now; but, more important, we have to—I think—acknowledge amongst ourselves that in terms of cybersecurity we've been living in a cyber 1.0 world and we need to be cyber 3.0 and beyond. Because the minute we start talking about a particular methodology of cyber the cyber bad guys are already moving ahead. This is a very, very rapidly evolving environment in which real crime and real damage can occur."

    July 23, 2009
    * FTC Testifies About Efforts to Combat Fraudulent and Deceptive Advertising

    News release: "The Federal Trade Commission testified today before the U.S. Senate on its efforts to combat deceptive advertising in the face of rapid changes in health care, technology, and online marketing strategies. In testimony before the Senate Committee on Commerce, Science, and Transportation’s Subcommittee on Consumer Protection, Product Safety, and Insurance, David Vladeck, Director of the FTC’s Bureau of Consumer Protection, described the Commission’s recent law enforcement and regulatory efforts addressing deceptive advertising."

    July 18, 2009
    * Javelin: U.S. Credit Card Issuers Dramatically Improve Customer Fraud Detection

    News release: Javelin Strategy & Research released its Fifth Annual Card Issuers’ Identity Safety Scorecard, which analyzes the top 25 U.S. card issuers’ capabilities for protecting customers from identity fraud. To compile the report, Javelin incorporated data from annual household, consumer, and issuer surveys using Javelin’s Prevention, Detection and Resolution™ criteria to accurately reflect customer demands and trends in how issuers protect against fraud. The Javelin scorecard is a structured assessment of each issuer’s fraud protection services. The scorecard ranks features that best empower two major victims of the nation’s $48B identity fraud problem—cardholders and issuers—showing how to turn the tables on a worrying method of crime."

    July 14, 2009
    * FTC Testifies About Crackdown on Scams Tied to the Economic Downturn

    News release: "The Federal Trade Commission testified before the U.S. Senate today on the agency’s campaign to crack down on scammers who are trying to take advantage of the economic downturn to push a variety of scams, such as phony job-placement and debt-reduction services, get-rich-quick schemes, and bogus government grants...In response to the rise in financial distress scams, on July 1, 2009, the Commission announced “Operation Short Change,” a joint initiative with 14 states, the Department of Justice, and other agencies that included more than 120 law enforcement actions."

  • Hearing - The Economy and Fraud: Protecting Consumers During Downward Economic Times - Consumer Protection, Product Safety, and Insurance: "The reality is that with the economic challenges we face, families are more vulnerable than ever to financial scams, predatory marketing practices, and economic fraud. We all see the news every day about more layoffs, plant closings, soaring prices and more cutbacks in West Virginia and across the nation. No one deserves the potential ruin these schemes threaten. We have a responsibility to uncover them and provide consumers with the tools they need to avoid becoming victims of fraud and abuse.”
  • Related postings on financial system
  • July 12, 2009
    * PBS Frontline: Ghana - Digital Dumping Ground

    PBS.org FRONTLINE - Ghana, Digital Dumping Ground: "When containers of old computers first began arriving in West Africa a few years ago, Ghanaians welcomed what they thought were donations to help bridge the digital divide. But soon exporters learned to exploit the loopholes by labeling junk computers "donations"...[What is on the hard drives from this junk PCs'?] There is private financial data...credit card numbers, account information, records of online transactions the original owners may not have realized were even there. Ghana is listed by the U.S. State Department as one of the top sources of cyber crime in the world. And it's not just individuals who are exposed. One of the drives the team has purchased contains a $22 million government contract. It turns out the drive came from Northrop Grumman, one of America's largest military contractors. And it contains details about sensitive, multi-million dollar U.S. government contracts. They also find contracts with the defense intelligence agency, NASA, even Homeland Security."

  • Related postings on e-waste and recycling
  • July 01, 2009
    * FTC Cracks Down on Scammers Trying to Take Advantage of the Economic Downturn

    News release: "The Federal Trade Commission today announced a law enforcement crackdown on scammers trying to take advantage of the economic downturn to bilk vulnerable consumers through a variety of schemes, such as promising non-existent jobs; promoting overhyped get-rich-quick plans, bogus government grants, and phony debt-reduction services; or putting unauthorized charges on consumers’ credit or debit cards. Dubbed “Operation Short Change,” the law enforcement sweep announced today includes 15 FTC cases, 44 law enforcement actions by the Department of Justice, and actions by at least 13 states and the District of Columbia."

  • Related postings on financial system
  • June 25, 2009
    * DOE OIG: Incident Handling and Privacy Act

    U.S. Department of Education, Office of Inspector General, Information Technology Audits Division - Incident Handling and Privacy Act Controls over External Web Sites, Final Audit Report, Redacted, ED-OIG/A11I0006, June 10, 2009.

  • "Based on our review, the Department’s Chief Information Officer (CIO) must improve security controls over the incident response and handling program and accelerate two-factor authentication for protecting Privacy Act information to adequately protect the confidentiality, integrity, and availability of the personally identifiable information (PII) data residing on public web sites. During our audit, we also identified significant conditions related to the work performed regarding [Redacted Text] and public domain web site establishment and maintenance.
  • June 24, 2009
    * Comparing Technology Innovation in the Private and Public Sectors

    "Corporate websites generally offer more innovative features than public-sector sites, largely because the private sector spends about a third more on websites, according to a Brookings Institution study, Comparing Technology Innovation in the Private and Public Sectors. The study, released in mid-June, compares the websites of leading U.S. corporations with state and national governments, grades their overall performance, and examines nearly two dozen features of digital innovation.

    Using a 100-point scale, the study report concludes that corporations have the most innovative websites (65 points) and are trailed as a group by state government (54) and federal government (51). The top-rated site in the federal government category, USA.gov (92), equaled the score for the top-rated corporate site, WellsFargo.com. Other top-rated federal sites were USDA.gov, GSA.gov, USPS.com, IRS.gov, and ED.gov. Delaware.gov (83.7) was the top-rated state site, followed by the official websites of Georgia, Florida, California, Massachusetts and Maine. The report also revealed that public websites provide more security and are better at protecting privacy. Although federal government websites were the most accessible to users with disabilities, 75% percent of its websites were not completely accessible."

    June 23, 2009
    * Defense Secretary Announces Creation of Unified U.S. Cyber Command

    WSJ: "Defense Secretary Robert Gates created a new military command dedicated to cyber security on Tuesday, reflecting the Obama administration's plans to centralize and elevate computer security as a major national-security issue. In a memo to senior Pentagon officials, Mr. Gates said he intends to recommend that Lt. Gen. Keith Alexander, director of the National Security Agency, take on the additional role as commander of the Cyber Command with the rank of a four-star general."

    June 17, 2009
    * New GAO Reports: Broadcasting to Cuba, Polar-Orbiting Satellites, Troubled Asset Relief Program, American Battle Monuments
    • Broadcasting to Cuba: Observations Regarding TV Marti's Strategy and Operations, GAO-09-758T, June 17, 2009
    • Identity Theft: Governments Have Acted to Protect Personally Identifiable Information, but Vulnerabilities Remain, GAO-09-759T, June 17, 2009
    • Polar-Orbiting Environmental Satellites: With Costs Increasing and Data Continuity at Risk, Improvements Needed in Tri-agency Decision Making, GAO-09-564, June 17, 2009
    • Polar-Orbiting Satellites: With Costs Increasing and Data Continuity at Risk, Improvements Needed in Tri-agency Decision Making, http://www.gao.gov/new.items/d09772t.pdf, June 17, 2009
    • Telecommunications: Preliminary Observations about Consumer Satisfaction and Problems with Wireless Phone Service and FCC's Efforts to Assist Consumers with Complaints, GAO-09-800T, June 17, 2009
    • Troubled Asset Relief Program: June 2009 Status of Efforts to Address Transparency and Accountability Issues, GAO-09-658, June 17, 2009
    • American Battle Monuments Commission: Management Action Needed to Improve Internal Control Procedures, GAO-09-714R, June 17, 2008
    June 14, 2009
    * Cyber-Ark 2009 Trust, Security & Passwords Survey Research Brief

    2009 Trust, Security & Passwords Survey Research Brief: "This global "snooping" survey is the third in a series of benchmark studies focused on identifying security and privacy trends among IT workers. Results are intended to raise awareness about the risks associated with powerful, and often unmanaged, privileged users and passwords. While seemingly innocuous, these accounts provide workers with "keys to the kingdom," allowing them to access critically sensitive information, no matter where it resides."

    June 11, 2009
    * Federal Agencies Issue Frequently Asked Questions on Identity Theft Rules

    News release: "Six federal agencies issued a set of frequently asked questions (FAQs) today to help financial institutions, creditors, users of consumer reports, and issuers of credit cards and debit cards comply with federal regulations on identity theft and discrepancies in changes of address. The “Red Flags and Address Discrepancy Rules,” which implement sections of the Fair and Accurate Credit Transactions Act of 2003, were issued jointly on November 9, 2007, by the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), and Federal Trade Commission (FTC)."

  • Frequently Asked Questions: Identity Theft Red Flags and Address Discrepancies
  • June 09, 2009
    * DHS OIG: Progress in Addressing Security Challenges at Washington Dulles International Airport

    OIG-09-66 - DHS' Progress in Addressing Technical Security Challenges at Washington Dulles International Airport (Redacted), May 2009

  • "...more work is needed to address physical and environmental control deficiencies. CBP also needs to implement technical controls to ensure that it is using the most current version of operating systems. Further, CBP [U.S. Customs and Border Protection] should ensure that system documentation includes information concerning vulnerabilities and accepted risks."
  • June 07, 2009
    * FTC Shuts Down Notorious Rogue Internet Service Provider

    News release: "A rogue Internet Service Provider that recruits, knowingly hosts, and actively participates in the distribution of spam, child pornography, and other harmful electronic content has been shut down by a district court judge at the request of the Federal Trade Commission. The ISP’s upstream providers and data centers have disconnected its servers from the Internet."

  • Federal Trade Commission v. Pricewert LLC also d/b/a 3FN.net, Triple Fiber Network, APS Communications, and APS Communication
  • May 29, 2009
    * Cyberspace Policy Review - Assuring a Trusted and Resilient Information and Communications Infrastructure

    White House: Securing Our Digital Future, Melissa Hathaway, Cybersecurity Chief at the National Security Council, discusses securing our nation's digital future.

  • Cyberspace Policy Review - Assuring a Trusted and Resilient Information and Communications Infrastructure, May 29, 2009: "The President directed a 60-day, comprehensive, “clean-slate” review to assess U.S. policies and structures for cybersecurity. Cybersecurity policy includes strategy, policy, and standards regarding the security of and operations in cyberspace, and encompasses the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure. The scope does not include other information and communications policy unrelated to national security or securing the infrastructure. The review team of government cybersecurity experts engaged and received input from a broad cross-section of industry, academia, the civil liberties and privacy communities, State governments, international partners, and the Legislative and Executive Branches. This paper summarizes the review team’s conclusions and outlines the beginning of the way forward towards a reliable, resilient, trustworthy digital infrastructure for the future."
  • * New GAO Reports: Federal Reserve Banks Security Controls, National Preparedness
    • Defense Management: Observations on DOD's Analysis of Options for Improving Corrosion Prevention and Control through Earlier Planning in the Requirements and Acquisition Processes, GAO-09-694R, May 29, 2009
    • Federal Reserve Banks: Areas for Improvement in Information Security Controls, GAO-09-722R, May 29, 2009
    • Financial Audit: Senate Restaurants Revolving Fund for Fiscal Years 2008 and 2007, GAO-09-409, May 29, 2009
    • Sponsored Noncitizens and Public Benefits: More Clarity in Federal Guidance and Better Access to Federal Information Could Improve Implementation of Income Eligibility Rules, GAO-09-375, May 19, 2009
    • National Preparedness: FEMA Has Made Progress, but Needs to Complete and Integrate Planning, Exercise, and Assessment Efforts, GAO-09-369, May 07, 2009
    May 28, 2009
    * NIST: Working Definition of Cloud Computing Released

    "NIST announces that its working definition of cloud computing is available. Researchers worked in collaboration with industry and government to draft the definition that serves as a foundation for its research and future publication on the topic. Cloud computing is a pay-per-use model for enabling available, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. Researchers are studying cloud architectures, economics, security and deployment strategies for the federal government."

    May 25, 2009
    * U.S. Government Agencies and Internet Retailers Receive Failing Grade in

    News release: " The Online Trust Alliance (OTA) gave leading government agencies and online retailers a failing grade in preventing deceptive email and phishing scams based on its newly released analysis of email authentication adoption. While adoption has grown over the past year, OTA found approximately 56 percent of the top .gov sites – including Whitehouse.gov, FBI.gov, Treasury.gov and DHS.gov – still are not protecting U.S. citizens through the use of email authentication. At the same time, progress has been made by other government agencies including the Census Bureau, CIA, FDIC, VA and FTC."

    * OTA releases drafts Online Safety Principles for Public Comment

    News release: "...the Online Trust Alliance (OTA) released its 2009 draft Online Trust Principles for public comment. The Principles are a major step toward establishing business practices that afford greater consumer online protection and the long term vitality of online commence and interactive marketing."

    May 08, 2009
    * DOT OIG: Review of Web Applications Security and Intrusion Detection in Air Traffic Control Systems

    Review of Web Applications Security and Intrusion Detection in Air Traffic Control Systems, May 04, 2009

  • "On May 4, 2009, we issued our report on Federal Aviation Administration (FAA) web applications security and intrusion detection in air traffic control (ATC) systems, requested by the Ranking Minority Members of the full House Transportation and Infrastructure Committee and its Aviation Subcommittee. We found that web applications used in supporting ATC systems operations were not properly secured to prevent attacks or unauthorized access. During the audit, our staff gained unauthorized access to information stored on web application computers and an ATC system, and confirmed system vulnerability to malicious code attacks. In addition, we found that FAA had not established adequate intrusion–detection capability to monitor and detect potential cyber security incidents at ATC facilities. Intrusion–detection systems have been deployed to only 11 (out of hundreds of) ATC facilities. Also, cyber incidents detected were not remediated in a timely manner."
  • May 05, 2009
    * New GAO Reports: Cyber Threats and Federal Systems, GAO Oversight
    • Information Security: Cyber Threats and Vulnerabilities Place Federal Systems at Risk, GAO-09-661T, May 5, 2009: "Cyber threats to federal information systems and cyber-based critical infrastructures are evolving and growing. These threats can be unintentional and intentional, targeted or nontargeted, and can come from a variety of sources, such as foreign nations engaged in espionage and information warfare, criminals, hackers, virus writers, and disgruntled employees and contractors working within an organization. Moreover, these groups and individuals have a variety of attack techniques at their disposal, and cyber exploitation activity has grown more sophisticated, more targeted, and more serious. As government, private sector, and personal activities continue to move to networked operations, as digital systems add ever more capabilities, as wireless systems become more ubiquitous, and as the design, manufacture, and service of information technology have moved overseas, the threat will continue to grow."
    • Recovery Act: GAO's Efforts to Work with the Accountability Community to Help Ensure Effective and Efficient Oversight, GAO-09-672T, May 5, 2009: "GAO is carrying out its responsibilities to review the uses of Recovery Act funds and will also target certain areas for additional review using a riskbased approach. GAO’s first bimonthly report examined the steps 16 states, the District of Columbia, and selected localities are taking to use and oversee Recovery Act funds. These states contain about 65 percent of the U.S. population and are estimated to receive about two-thirds of the intergovernmental grant funds available through the Recovery Act. GAO’s report made several recommendations to the Office of Management and Budget (OMB) toward improving accountability and transparency requirements; clarifying the Recovery Act funds that can be used to support state efforts to ensure accountability and oversight; and improving communications with Recovery Act funds recipients."
    • Related postings on financial system
    April 15, 2009
    * Symantec Internet Security Threat Report Volume XIV: April, 2009

    "The Symantec Internet Security Threat Report offers analysis and discussion of threat activity over a one-year period. It covers Internet threat activities, vulnerabilities, malicious code, phishing, spam and security risks as well as future trends. The fourteenth version of the report, released April 14, 2009, is now available."

  • Internet Security Threat Report Volume XIV: April, 2009 - Analysis of threat activity January - December 2008.
  • Executive Summary: April, 2009
  • April 14, 2009
    * DHS Reports on Rightwing and Leftwing Extremists
    April 07, 2009
    * WSJ: Electricity Grid in U.S. Penetrated by Spies

    "Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials...But protecting the electrical grid and other infrastructure is a key part of the Obama administration's cybersecurity review, which is to be completed next week. Under the Bush administration, Congress approved $17 billion in secret funds to protect government networks, according to people familiar with the budget. The Obama administration is weighing whether to expand the program to address vulnerabilities in private computer networks, which would cost billions of dollars more. A senior Pentagon official said Tuesday the Pentagon has spent $100 million in the past six months repairing cyber damage."

  • See also North American Electric Reliability Corporation letter to Industry Stakeholders, April 7, 2009: "...as we consider cyber security, a host of new considerations arise. Rather than considering the unexpected failure of a digital protection and control device within a substation, for example, system planners and operators will need to consider the potential for the simultaneous manipulation of all devices in the substation or, worse yet, across multiple substations...One of the more significant elements of a cyber threat, contributing to the uniqueness of cyber risk, is the cross-cutting and horizontal nature of networked technology that provides the means for an intelligent cyber attacker to impact multiple assets at once, and from a distance."
  • * Sustainable Critical Infrastructure Systems: A Framework for Meeting 21st Century Imperatives

    National Academies Press, prepublication: Sustainable Critical Infrastructure Systems: A Framework for Meeting 21st Century Imperatives, 2009.

  • "For the people of the United States, the 20th century was one of unprecedented population growth, economic development, and improved quality of life. The critical infrastructure systems-water, wastewater, power, transportation, and telecommunications-built in the 20th century have become so much a part of modern life that they are taken for granted. By 2030, 60 million more Americans will expect these systems to deliver essential services. Large segments and components of the nation's critical infrastructure systems are now 50 to 100 years old, and their performance and condition are deteriorating. Improvements are clearly necessary. However, approaching infrastructure renewal by continuing to use the same processes, practices, technologies, and materials that were developed in the 20th century will likely yield the same results: increasing instances of service disruptions, higher operating and repair costs, and the possibility of catastrophic, cascading failures. If the nation is to meet some of the important challenges of the 21st century, a new paradigm for the renewal of critical infrastructure systems is needed. This book discusses the essential components of this new paradigm, and outlines a framework to ensure that ongoing activities, knowledge, and technologies can be aligned and leveraged to help meet multiple national objectives."
  • April 06, 2009
    * CRS: Comprehensive National Cybersecurity Initiative: Legal Authorities and Policy Considerations

    Follow up to April 5, 2009 posting Senate Staff Working Draft of Cybersecurity Act of 2009, see this related CRS report: Comprehensive National Cybersecurity Initiative (CNCI): Legal Authorities and Policy Considerations, March 10, 2009

  • "In response to the CNCI and other proposals, questions have emerged regarding: (1) the adequacy of existing legal authorities—statutory or constitutional—for responding to cyber threats; and (2)
    the appropriate roles for the executive and legislative branches in addressing cybersecurity. The new and emerging nature of cyber threats complicates these questions. Although existing statutory provisions might authorize some modest actions, inherent constitutional powers currently provide the most plausible legal basis for many potential executive responses to national security related cyber incidences. Given that cyber threats originate from various sources, it is difficult to determine whether actions to prevent cyber attacks fit within the traditional scope of executive power to conduct war and foreign affairs. Nonetheless, under the Supreme Court jurisprudence, it appears that the President is not prevented from taking action in the cybersecurity arena, at least until Congress takes further action. Regardless, Congress has a
    continuing oversight and appropriations role. In addition, potential government responses could be limited by individuals’ constitutional rights or international laws of war. This report discusses the legal issues and addresses policy considerations related to the CNCI."
  • April 05, 2009
    * Senate Staff Working Draft of Cybersecurity Act of 2009

    CDT: "A cybersecurity bill introduced April 01, 2009 in the Senate would give the federal government extraordinary power over private sector Internet services, applications and software. The Cybersecurity Act of 2009 would, for example, give the President unfettered power to shut down Internet traffic in emergencies or disconnect any critical infrastructure system or network on national security grounds. The bill would grant the Commerce Department the ability to override all privacy laws to access any information about Internet usage in connection with a new role in tracking cybersecurity threats. The bill, introduced by Sens. John Rockefeller and Olympia Snowe, would also give the government unprecedented control over computer software and Internet services, threatening innovation, freedom and privacy. CDT President and CEO Leslie Harris said, "The cybersecurity threat is real, but such a drastic federal intervention in private communications technology and networks could harm both security and privacy."

  • Cybersecurity Act of 2009, April 01, 2009: "To ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cyber security defenses against disruption, and for other purposes."
  • Bill Creating a White House Cybersecurity Advisor, April 01, 2009

  • March 30, 2009
    * FBI's Internet Crime Complaint Center - 2008 Internet Crime Report

    "In December 2003, the Internet Fraud Complaint Center (IFCC) was renamed the Internet Crime Complaint Center (IC3) to better reflect the broad character of such criminal matters having a cyber (Internet) nexus. The 2008 Internet Crime Report is the eighth annual compilation of information on complaints received and referred by the IC3 to law enforcement or regulatory agencies for appropriate action. From January 1, 2008 – December 31, 2008, the IC3 website received 275,284 complaint submissions. This is a (33.1%) increase when compared to 2007 when 206,884 complaints were received. These filings were composed of complaints primarily related to fraudulent and non-fraudulent issues on the Internet."

    March 06, 2009
    * Director of National Cybersecurity Center Resigns

    WSJ: "The government's coordinator for cybersecurity programs has quit, criticizing what he described as the National Security Agency's grip on cybersecurity. Rod Beckstrom, a former Silicon Valley entrepreneur, said in his resignation letter that the NSA's central role in cybersecurity is "a bad strategy" because it is important to have a civilian agency taking a key role in the issue. The NSA is part of the Department of Defense."

  • Mr. Beckstrom's resignation letter: "...the NCSC [National Cybersecurity Center] did not receive appropriate support inside DHS during the last administration to fully realize its vital role."
  • March 01, 2009
    * FTC Releases List of Top Consumer Complaints in 2008

    "The Federal Trade Commission released the list of top consumer complaints received by the agency in 2008. The list, contained in the publication Consumer Sentinel Network Data Book for January-December 2008, showed that for the ninth year in a row, identity theft was the number one consumer complaint category. Of 1,223,370 complaints received in 2008, 313,982 – or 26 percent – were related to identity theft."

  • "The Consumer Sentinel Network (CSN) received over 1.2 million complaints during calendar year 2008: 52% fraud complaints; 26% identity theft complaints; and 22% other types of complaints. This year’s report is the first to include the other types of complaints. Identity theft was the number one complaint category in the CSN for calendar year 2008 with 26% of the overall complaints, followed by Third Party and Creditor Debt Collection (9%); Shop-at-Home and Catalog Sales (4%); Internet Services (4%); Foreign Money Offers and Counterfeit Check Scams (3%); Credit Bureaus, Information Furnishers and Report Users (3%); Prizes, Sweepstakes and Lotteries (3%); Television and Electronic Media (2%); Banks and Lenders (2%); and Telecom Equipment and Mobile Services (2%)."
  • February 23, 2009
    * Report: Data Loss Risks During Downsizing

    Data Loss Risks During Downsizing As Employees Exit, so does Corporate Data, February 23, 2009

  • "Sponsored by Symantec, Ponemon Institute independently conducted this national study...to understand what employees are doing with the data on the laptops their employers provided them. According to our findings, 59% of employees who leave or are asked to leave are stealing company data. Moreover, 79% of these respondents admit that their former employer did not permit them to leave with company data. Our study reveals that companies are doing a very poor job at preventing former employees from stealing data. Only 15% of respondents’ companies review or perform an audit of the paper and/or electronic documents employees are taking. If they conduct a review, 45% say it was not complete and 29% say it was superficial."
  • February 10, 2009
    * President Obama Directs the National Security and Homeland Security Advisors to Conduct Immediate Cyber Security Review

    News release: "President Obama has directed the National Security and Homeland Security Advisors to conduct an immediate review of the plan, programs, and activities underway throughout the government dedicated to cyber security. This 60-day interagency review will develop a strategic framework to ensure that U.S. Government cyber security initiatives are appropriately integrated, resourced and coordinated with Congress and the private sector. "The national security and economic health of the United States depend on the security, stability, and integrity of our Nation’s cyberspace, both in the public and private sectors. The President is confident that we can protect our nation’s critical cyber infrastructure while at the same time adhering to the rule of law and safeguarding privacy rights and civil liberties," said Assistant to the President for Counterterrorism and Homeland Security John Brennan. Melissa Hathaway, who has served as Cyber coordination Executive to the Director of National Intelligence, will lead the review and will serve as Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils during the review period."

    February 01, 2009
    * CWE/SANS TOP 25 Most Dangerous Programming Errors

    News release: "...experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime. Shockingly, most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale. The impact of these errors is far reaching. Just two of them led to more than 1.5 million web site security breaches during 2008 - and those breaches cascaded onto the computers of people who visited those web sites, turning their computers into zombies."

    The Top 25 Errors are listed below in three categories:

    January 09, 2009
    * PWC: Global state of information security survey 2008

    "The Global state of information security survey 2008 is a worldwide security survey by PricewaterhouseCoopers, CIO Magazine and CSO Magazine. It was conducted online from March 25 to June 26, 2008. Readers of CIO and CSO Magazines and clients of PricewaterhouseCoopers from around the globe were invited via email to take the survey. The results discussed in this report are based on the responses of more than 7,000 CEOs, CFOs, CIOs, CSOs, vice presidents and directors of IT and information security from 119 countries. Thirty-nine percent (39%) of respondents were from North America, twenty-seven percent (27%) from Europe, seventeen percent (17%) from Asia, fifteen percent (15%) from South America, and two percent (2%) from the Middle East and South Africa."

    January 07, 2009
    * Identity Theft Resource Center's 2008 Breach Report

    News release: "Reports of data breaches increased dramatically in 2008. The Identity Theft Resource Center's 2008 breach report reached 656 reported breaches at the end of 2008, reflecting an increase of 47% over last year’s total of 446. In terms of sub-divisions by type of entity, the rankings have not changed between 2007 and 2008 within the five groups that ITRC monitors. The financial, banking and credit industries have remained the most proactive groups in terms of data protection over all three years. The Government/Military category has dropped nearly 50% since 2006, moving from the highest number of breaches to the third highest."

    December 20, 2008
    * Coalition Letter to President-elect Obama on the Future of Privacy

    "Thirty privacy, consumer, and civil liberties organizations sent a letter to President-elect Barack Obama on the importance of protecting privacy in the next administration. The organizations support the incoming president’s expressed on privacy, consumer rights, and civil liberties. President-elect Obama stated support for strengthening of privacy protection by harnessing the power of technology to hold government and businesses accountable for violations of personal privacy. The coalition said that “[t]here is a clear need to address the spiraling problems of identity theft, security breaches, and the commercialization of personal information.” For more information visit EPIC’s A-Z Privacy Page."

    December 18, 2008
    * FTC Issues Report on Social Security Numbers and Identity Theft

    News release: "The Federal Trade Commission issued a report today recommending five measures to help prevent Social Security numbers from being used for identity theft. Principal among the report’s recommendations is that Congress consider taking action to strengthen the procedures that private-sector organizations use to authenticate their customers’ identities...The FTC report states that adopting nationwide standards for how businesses and other organizations verify the identity of new and existing customers would make it harder for identity thieves to use SSNs and other stolen information to consummate their fraud...The FTC report also recommends that steps be taken to reduce the unnecessary display and transmission of SSNs, but noted that such restrictions must be approached carefully. A number of important functions in the U.S. economy depend on use of and access to SSNs, and the report concluded that overly restrictive attempts to limit the availability of SSNs could unintentionally curtail those functions. Finally, the report recommends steps to improve data security, increase outreach to consumers and businesses on the protection of SSNs, and enhance coordination and information-sharing among organizations that routinely use SSNs."

  • Security In Numbers: Social Security Numbers and Identity Theft: A Federal Trade Commission Report Providing Recommendations On Social Security Number Use In the Private Sector (December 2008)
  • December 08, 2008
    * Securing Cyberspace for the 44th Presidency

    "The Center for Strategic and International Studies (CSIS) Commission on Cybersecurity for the 44th Presidency has released its final report, Securing Cyberspace for the 44th Presidency. The Commission’s three major findings are: cybersecurity is now one of the major national security problems facing the United States; decisions and actions must respect American values related to privacy and civil liberties; and only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will improve the situation."

    December 01, 2008
    * DOE OIG Reports: Grenade Launcher Qualification Requirements, Cyber Security Risk Management Practice

  • Inspection Report - 40 MM Grenade Launcher Qualification Requirements at Department of Energy Sites, November 2008: "The Department of Energy and its National Nuclear Security Administration (NNSA), operate some of the most sensitive Federal facilities in the United States. Because of the mission requirements, safeguards and security is a top priority at these sites. As part of its security regime, the Department maintains a cadre of armed protective force officers to prevent and defend against malevolent acts. In recent years, the Department has worked to enhance security by increasing the capabilities of weapon systems used by the protective force officers. One such weapon is the 40 mm grenade launcher, which utilizes high explosive ammunition to defeat adversary personnel and equipment. A number of Department sites have procured these
    weapons."
  • Audit Report - Cyber Security Risk Management Practice at the Southeastern, Southwestern, and Western Area Power Adminstrations, November 2008: "The Southeastern, Southwestern, and Western Area Power Administrations provide electrical power to customers in 29 states. To support this critical function, the Power Marketing Administrations (PMAs) utilize infornlation systems to conduct various activities, including financial management, marketing, and transferring wholesale electrical power across the Nation's electrical grids. In particular, Southwestern and Western operate supervisory control and data acquisition (SCADA) systems - systems
    critical to controlling the flow of electricity to the power grid. The power grids are part of the U.S. critical infrastructure. Interruptions in these control systems for an extended period could adversely impact the PMAs' customers."
  • November 17, 2008
    * Live Piracy Map 2008

    From the ICC Commercial Crime Services (CCS) - "the anti-crime arm of the International Chamber of Commerce": Live Piracy Map 2008 - "This map shows all the piracy incidents reported by the IMB Piracy Centre in Kuala Lumpur during 2008. Please click on the pins for more details of the specific incident or zoom in for more accurate location information."

    * Report: Online Threats to Youth: Solicitation, Harassment, and Problematic Content

    Online Threats to Youth: Solicitation, Harassment, and Problematic Content, Literature Review by the Research Advisory Board of the Internet Safety Technical Task Force, Andrew Schrock and Danah Boyd, Berkman Center for Internet & Society, Harvard University, Draft Version. November 14, 2008

  • "The goal of this literature review is to map out what is currently known about the risks youth face and the youth who face them to further discussions about online safety. We believe that the first step in helping youth is to understand the problems that are occurring. The best solutions will be those that address real dangers, real risks, and the interrelated dynamics that put youth at risk. We do not discuss potential solutions, but we feel as though the research described in this document is essential for those who are looking to develop solutions."
  • November 10, 2008
    * Worldwide Infrastructure Security Report 2008

    Worldwide Infrastructure Security Report, Volume III: "Arbor Networks®, Inc., in cooperation with the Internet security operations community, has completed the third edition of an ongoing series of annual operational security surveys. This survey, covering a 12-month period from July 2006 through June 2007, is designed to provide data useful to network operators so that they can make informed decisions about their use of network security technology to protect their mission-critical infrastructures. It is also meant to serve as a general resource for the Internet operations and engineering community, recording information on trends and employment of various infrastructure security techniques."

    * Spamalytics: An Empirical Analysis of Spam Marketing Conversion

    Spamalytics: An Empirical Analysis of Spam Marketing Conversion, October 2008 - Chris Kanich, Christian Kreibich, Kirill Levchenko, Brandon Enright, Geoffrey M. Voelker, Vern Paxson† Stefan Savage

  • "The “conversion rate” of spam — the probability that an unsolicited e-mail will ultimately elicit a “sale” — underlies the entire spam value proposition. However, our understanding of this critical behavior is quite limited, and the literature lacks any quantitative study concerning its true value. In this paper we present a methodology for measuring the conversion rate of spam. Using a parasitic infiltration of an existing botnet’s infrastructure, we analyze two spam campaigns: one designed to propagate a malware Trojan, the other marketing on-line pharmaceuticals. For nearly a half billion spam e-mails we identify the number that are successfully delivered, the number that pass through popular anti-spam filters, the number that elicit user visits to the advertised sites, and the number of “sales” and “infections” produced.
  • November 08, 2008
    * Identity Theft Resource Center 2008 Breach List

    News release: "The total number of breaches in on the Identity Theft Resource Center’s 2008 breach list surpassed the final total of 446 reported in 2007, more than 4 months before the end of 2008. As of 9:30 a.m. August 22nd, the number of confirmed data breaches in 2008 stood at 449. The actual number of breaches is most likely higher, due to under-reporting and the fact that some of the breaches reported, which affect multiple businesses, are listed as single events. In the last few months, two subcontractors became examples of these “multiple” events. In one case, the customers and/or employees of at least 20 entities were affected by a breach that the ITRC reported as a single breach event."

    October 23, 2008
    * Identity Management Task Force Report 2008

    Office of Science and Technology Policy (OSTP) in the Executive Office of the President - Identity Management Task Force Report 2008, released September 2008

  • "The Task Force’s scope was limited to federal government systems, with the full understanding that these systems frequently rely on and impact IdM systems beyond federal control. This report presents an overview of the current state of federal IdM systems and also presents a high-level vision of how these systems can be holistically designed to provide better services while increasing privacy protection. The purpose of this report is to initiate further discussion on this vision, inform policy decisions, and provide direction on which to base near-term research."
  • October 21, 2008
    * The President's Identity Theft Task Force Report, September 2008

    News release: "Attorney General Michael B. Mukasey and Federal Trade Commission Chairman William E. Kovacic announced today the release of a report from the President’s Identity Theft Task Force on progress the federal government has made in addressing identity theft since the Task Force’s Strategic Plan was released last year. Highlights of the report include expansion of the Task Force’s data security and identity theft business and consumer education campaigns; exploring means of improving consumer authentication processes to prevent the use of stolen information to commit identity theft; launching new initiatives to help identity theft victims recover; and improving law enforcement tools to investigate and prosecute identity thieves."

  • The President's Identity Theft Task Force Report (September 2008)
  • October 11, 2008
    * Fox News: World Bank Under Cyber Siege in 'Unprecedented Crisis'

    FOX News: "The World Bank Group's computer network — one of the largest repositories of sensitive data about the economies of every nation — has been raided repeatedly by outsiders for more than a year, FOX News has learned. It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution's highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank's network for nearly a month in June and July. In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month.

    In a frantic midnight e-mail to colleagues, the bank's senior technology manager referred to the situation as an "unprecedented crisis." In fact, it may be the worst security breach ever at a global financial institution. And it has left bank officials scrambling to try to understand the nature of the year-long cyber-assault, while also trying to keep the news from leaking to the public."

    October 10, 2008
    * Consumers Warned to Avoid Fake E-mails Tied to Bank Mergers

    News release: "Online scammers are taking advantage of tough economic times. While e-mails phishing for sensitive data are nothing new, scammers are taking advantage of upheavals in the financial marketplace to confuse consumers into parting with valuable personal information. The Federal Trade Commission urges caution regarding e-mails that look as if they come from a financial institution that recently acquired a consumer’s bank, savings and loan, or mortgage. In fact, these messages may be from “phishers” looking to use personal information – account numbers, passwords, Social Security numbers – to run up bills or commit other crimes in a consumer’s name. Consumers are warned not to take the bait. The FTC has advice about how to stay on guard against this type of scam. To learn more, see the consumer alert Bank Failures, Mergers and Takeovers: A ‘Phish-erman’s Special.

    October 09, 2008
    October 01, 2008
    * FTC's Cyber Security Site Gets an Upgrade

    News release: "The Federal Trade Commission’s Web site that helps consumers stay on guard against Internet fraud is revamping to provide extra tools for cyber safety. The FTC’s announcement of the newly designed and improved site comes on the first day of October, which is National Cyber Security Awareness Month. Since the September 2005 launch of www.OnGuardOnline.gov and its Spanish-language counterpart, www.AlertaEnLínea.gov, more than 8.1 million visitors have learned about computer security at these sites. Now, with the help of 22 federal agencies, industry organizations, and non-profit groups, the FTC has introduced a variety of new features to help consumers avoid Internet fraud, secure their computers, and protect their personal information...The articles, games, and videos on the site provide information on 16 topics, including social networking, phishing, spam scams, and laptop security."

    September 24, 2008
    * DOE IG: The Federal Energy Regulatory Commission's Unclassified Cyber Security Program - 2008

    The Federal Energy Regulatory Commission's Unclassified Cyber Security Program - 2008, DOE/IG-0802 September 2008

  • "The Commission had taken action to improve cyber security practices and implemented protective measures designed to defend its networks against malicious attackers and other external threats. Our evaluation, however, disclosed that additional actions are needed to
    reduce the risk of compromise to the Commission's business information systems and data to an acceptable level."
  • September 19, 2008
    * Bureau of Justice Statistics: Cybercrime Against Businesses, 2005

    Cybercrime against Businesses, 2005: "Presents the nature and prevalence of computer security incidents among 7,818 businesses in 2005. This is the first report to provide data on monetary loss and system downtime resulting from cyber incidents. It examines details on types of offenders, reporting of incidents to law enforcement, reasons for not reporting incidents, types of systems affected, and the most common security vulnerabilities. The report also compares in-house security to outsourced security in terms of prevalence of cyber attacks. Appendix tables include industry-level findings."

    September 16, 2008
    * New GAO Reports: Cyber Analysis and Warning, Critical Infrastructure Protection, Certifying Voting Systems
    • Cyber Analysis and Warning: DHS Faces Challenges in Establishing a Comprehensive National Capability, GAO-08-588, July 31, 2008
    • Critical Infrastructure Protection: DHS Needs to Better Address Its Cybersecurity Responsibilities, GAO-08-1157T, September 16, 2008
    • Critical Infrastructure Protection: DHS Needs to Fully Address Lessons Learned from Its First Cyber Storm Exercise, GAO-08-825, September 09, 2008
    • Environmental Health: EPA Efforts to Address Children's Health Issues Need Greater Focus, Direction, and Top-Level Commitment, GAO-08-1155T, September 16, 2008
    • Information Technology: Federal Laws, Regulations, and Mandatory Standards to Securing Private Sector Information Technology Systems and Data in Critical Infrastructure Sectors, GAO-08-1075R, September 16, 2008
    • Elections: Federal Program for Certifying Voting Systems Needs to Be Further Defined, Fully Implemented, and Expanded, GAO-08-814, September 16, 2008
    • Diversity Management: Important Actions Taken and Planned to Further Enhance Diversity, GAO-08-1160T, September 16, 2008
    • Digital Television Transition: Information on the Implementation of the Converter Box Subsidy Program and Consumer Participation in the Program, GAO-08-1161T, September 16, 2008
    • Diversity at GAO: Sustained Attention Needed to Build on Gains in SES and Managers, GAO-08-1156T, September 16, 2008
    • Diversity at GAO: Sustained Attention Needed to Build on Gains in SES and Managers, GAO-08-1098, September 10, 2008
    September 08, 2008
    * Remarks by Homeland Security Secretary Michael Chertoff at Brookings on the Nation’s Critical Infrastructure

    News release: "...today's topic is going to cover a different kind of vulnerability, not the vulnerability to identity but the vulnerability to the physical world in which we operate. That is our critical infrastructure. And I want in particular to talk about how these vulnerabilities look to me as we enter the 21st century, and what we have to do to reduce the risk to our critical infrastructure in the years to come."

  • Fact Sheet: Critical Infrastructure and Homeland Security Protection Accomplishments
  • September 03, 2008
    * CERT: Understanding Voice over Internet Protocol (VoIP)

    Cyber Security Tip ST05-018 - Understanding Voice over Internet Protocol (VoIP): "Because VoIP relies on your internet connection, it may be vulnerable to any threats and problems that face your computer. The technology is still new, so there is some controversy about the potential for attack, but VoIP could make your telephone vulnerable to viruses and other malicious code. Attackers may be able to perform activities such as intercepting your communications, eavesdropping, conducting effective phishing attacks by manipulating your caller ID, and causing your service to crash. Activities that consume a large amount of network resources, like large file downloads, online gaming, and streaming multimedia, will also affect your VoIP service."

    August 30, 2008
    * Threats to Internet Routing and Global Connectivity

    Threats to Internet Routing and Global Connectivity, 20th Annual FIRST Conference, Vancouver, British Columbia Canada, June 2008 (69 page presentation) includes discussion of the following topics:

    • Physical problems (Physical Infrastructure: Natural, accidental or intentional destruction)
        Earthquakes, Anchors/Backhoes, Hurricanes
    • Routing Vulnerabilities (Logical Infrastructure: if routers cannot direct traffic appropriately, the Internet is broken.)
        Misconfigurations, hijacks, attacks
    • Business Conflicts (Competitors might not want to exchange traffic.)
        De-peerings
    August 26, 2008
    * Steady Increase in IDThefts Recorded So Far For 2008

    News release: "Today, the total number of breaches in on the Identity Theft Resource Center’s (ITRC) 2008 breach list surpassed the final total of 446 reported in 2007, more than 4 months before the end of 2008. As of 9:30 a.m. August 22nd, the number of confirmed data breaches in 2008 stood at 449. The actual number of breaches is most likely higher, due to under-reporting and the fact that some of the breaches reported, which affect multiple businesses, are listed as single events. In the last few months, two subcontractors became examples of these “multiple” events. In one case, the customers and/or employees of at least 20 entities were affected by a breach that the ITRC reported as a single breach event....Breaches: 449 Exposed: 22,091,338."

    August 19, 2008
    * Secretary Chertoff Addresses Secure Identity Challenges

    News release: "Secretary Chertoff spoke on the balance between privacy and secure identity August 13 at the University of Southern California National Center for Risk and Economic Analysis of Terrorism Events. He addressed crimes involving identity theft, and talked about identity validation and authentication, the associated financial costs, the effect on illegal workers, the universe of tools available for identity management, and possible solutions that address the concerns of privacy advocates."

    August 12, 2008
    * Study: State AGs Fail to Adequately Protect Online Consumers

    News release: "State attorneys general received thousands of consumer complaints of online fraud and abuse in 2006 and 2007 and yet, with the exception of several notable standouts, brought few significant cases in response, according to a report released today from the Center for American Progress and the Center for Democracy and Technology, Online Consumers at Risk and the Role of State Attorneys General."

    * Google Reports Virus Email Activity At All Time High In July 2008

    Official Google Enterprise Blog: "In July, our Postini datacenters saw the biggest volume of email virus attacks so far in 2008, with a peak of nearly 10 million messages on July 24. One of the more prominent attacks in the month involved a spoofed UPS package-tracking link that was intended to lure recipients into clicking on it and downloading malware. Our zero-hour virus protection technology first started catching these emails on July 20."

    July 22, 2008
    * FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management

    M-08-21, FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (July 14, 2008) (43 pages)

      "Agencies should also submit their most current documentation related to OMB Memorandum M-07-16, of May 22, 2007, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, This information should be provided in an appendix to your annual report and include the following items for your agency:
    • Breach notification policy
    • Implementation plan and progress update on eliminating unnecessary use of Social Security Numbers (SSN);
    • Implementation plan and progress update on review and reduction of holdings of personally identifiable information (PII); and
    • Policy outlining rules of behavior and identifying consequences and corrective actions available for failure to follow these rules."

    July 14, 2008
    * FTC Issues Staff Report on Roundtable Discussion About Phishing Education

    News release: "The Federal Trade Commission today released a staff report on a Roundtable Discussion on Phishing Education that it hosted in April. Approximately 60 experts from business, government, the technology sector, the consumer advocacy community, and academia met at the FTC to discuss strategies for outreach to consumers about avoiding phishing. Phishers use deceptive spam that appears to come from legitimate, well-known sources to trick consumers into divulging sensitive or personal information, such as credit account numbers or passwords, often through a link to a copycat of the purported source’s Web site."

  • Roundtable Discussion On Phishing Education: A Staff Report By the Federal Trade Commission’s Division of Consumer and Business Education and Division of Marketing Practices (July 2008)
  • July 08, 2008
    * ‘Red Flag’ Regulations Require Financial Institutions and Creditors to Have Identity Theft Prevention Programs

    Federal Trade Commission: "Financial institutions and creditors are now required to develop and implement written identity theft prevention programs under the new Red Flags Rules.

    The Red Flags Rules are part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. Under these Rules, financial institutions and creditors with covered accounts must have identity theft prevention programs in place by November 1, 2008, to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.

    The Commission staff is launching an outreach effort to explain the Rules in greater detail. It has now published a general alert on what the Rules require, and, in particular, an explanation of which businesses - financial institutions and creditors - are covered by the Rules."

    July 03, 2008
    * FTC Will Study Experiences of Identity Theft Victims

    News release: "The Federal Trade Commission plans to study the experiences of identity theft victims by conducting a survey of consumers who contacted the FTC after they were victimized. The proposed survey will examine the remedies available to victims under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Among other things, the FACT Act gave consumers the right to place fraud alerts on their credit files if they are, or suspect they may become, victims of identity theft; block information on their credit reports that resulted from identity theft; and obtain copies of their credit reports free of charge. The survey will seek information from identity theft victims who contacted the FTC between January 1 and May 30, 2008, and will inquire about their experiences when they contacted one or more credit reporting agencies and when they sought to use their FACT Act rights. The survey results will help guide the FTC’s efforts to enforce the law and educate consumers and the consumer reporting industry about their rights and duties."

  • ID Theft Proposed Survey
  • July 01, 2008
    * Identity Theft Resource Center 2008 Breach Report

    News release: "The ITRC Breach Report total has reached an all-time high. Between January 1st and June 27th, the total number of data breaches recorded by the ITRC is 342, more than 69% greater than the same time period in 2007. The actual number of breaches is likely even higher, due to underreporting and the fact that some of the breaches reported as a single event actually affected multiple businesses.

    The ITRC Breach Report sub-divides all breaches into five categories. To date, the 2008 ITRC Breach Stats Report indicates the following: 17.0% government/military agencies, 21.3% from educational institutions, 36.8% from general businesses, 14.9% from health care facilities / companies, and 10% from banking / credit / financial services entities.

    Click here for the 2008 ITRC Breach report. Click here for the 2008 ITRC Breach Stats Report broken down by categories which includes the percentages for each category (business, financial/credit, educational, governmental/military and health care). Please check regularly as this list is updated weekly.

    June 18, 2008
    * New GAO Reports: Afghanistan Security, Homeland Security, Federal Agency Privacy Officers, Privacy of Citizen Personal Data
    • Afghanistan Security: Further Congressional Action May Be Needed to Ensure Completion of a Detailed Plan to Develop and Sustain Capable Afghan National Security Forces, GAO-08-661, June 18, 2008
    • Afghanistan Security: U.S. Efforts to Develop Capable Afghan Police Forces Face Challenges and Need a Coordinated, Detailed Plan to Help Ensure Accountability, GAO-08-883T, June 18, 2008
    • Architect of the Capitol: Progress in Improving Energy Efficiency and Options for Decreasing Greenhouse Gas Emissions, GAO-08-917T, June 18, 2008
    • Financial Audit: Material Weaknesses in Internal Control over the Processes Used to Prepare the Consolidated Financial Statements of the U.S. Government, GAO-08-748, June 17, 2008
    • Homeland Security: The Federal Protective Service Faces Several Challenges That Hamper Its Ability to Protect Federal Facilities, GAO-08-683, June 11, 2008
    • Homeland Security: The Federal Protective Service Faces Several Challenges That Raise Concerns About Protection of Federal Facilities, GAO-08-914T, June 18, 2008
    • Privacy: Agencies Should Ensure That Designated Senior Officials Have Oversight of Key Functions, GAO-08-603, May 30, 2008
    • Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information, GAO-08-536, April 19, 2008
    • Privacy: Congress Should Consider Alternatives for Strengthening Protection of Personally Indentifiable Information, GAO-08-795T, June 18, 2008
    June 14, 2008
    * PC World Guide to Protecting Your Identity Online

    A Guide to Protecting Your Identity Online, Rosemary Haworth, PC Advisor

    June 13, 2008
    * Identity Theft: The Aftermath 2007

    Identity Theft: The Aftermath 2007. Conducted by the Identity Theft Resource Center® (ITRC) With comparisons to The Aftermath 2003, 2004, 2005, 2006 Surveys.

    * FTC Testifies on Spyware

    News release: "The Federal Trade Commission...told the Senate Committee on Commerce, Science, and Transportation that “legislation authorizing the Commission to seek civil penalties in spyware cases could add a potent remedy to those otherwise available to the Commission.” In testimony to the Committee, Eileen Harrington, Deputy Director of the FTC’s Bureau of Consumer Protection, said that when other enforcement options – seeking consumer redress or making the operators give up their ill-gotten gains – are not appropriate or sufficient remedies to deter spyware distributors, “a civil penalty may be the most appropriate remedy and serve as a strong deterrent.” The testimony states that the agency supports legislation that would provide “the Commission this valuable law enforcement tool.”

    June 10, 2008
    * Social Security Administration's Internal Use of Employees' Social Security Numbers

    OIG: The Social Security Administration's Internal Use of Employees' Social Security Numbers. A-13-07-27164 06/09/08

  • "The Social Security number (SSN) was created in 1936 as a means of tracking workers’ earnings and eligibility for Social Security benefits. Nevertheless, the SSN has become a de facto national identifier used by Federal agencies, State and local governments, and private organizations. The expanded use of the SSN as a national identifier provides a tempting motive for unscrupulous individuals to acquire and use it for illegal purposes."
  • * Working Paper: Do Data Breach Disclosure Laws Reduce Identity Theft?

    Do Data Breach Disclosure Laws Reduce Identity Theft? Sasha Romanosky, Rahul Telang, Alessandro Acquisti, Heinz School of Public Policy and Management, Carnegie Mellon University

  • "Identity theft resulted in corporate and consumer losses of $56 billion dollars in 2005, with about 30% of known identity thefts caused by corporate data breaches. Many US states have responded by adopting data breach disclosure laws that require firms to notify consumers if their personal information has been lost or stolen. While the laws are expected to reduce losses, their full effects have yet to be empirically measured. We use a panel from the US Federal Trade Commission with state and time fixed-effects regression to estimate the impact of data breach disclosure laws on identity theft over the years 2002 to 2006. We find no statistically significant effect that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce. If the probability of becoming a victim conditional on a data breach is very small, then the law’s maximum effectiveness is inherently limited. Quality of data and the possibility of reporting bias also make proper identification difficult. However, we appreciate that these laws may have other benefits such as reducing a victim’s average losses and improving a firm’s security and operational practices."

  • June 08, 2008
    * Akamai Technologies Releases Annual State of the Internet Report

    Akamai, 1st Quarter 2008 - The State of the Internet Report.

    "During the first quarter, Akamai observed attack traffic originating from 125 unique countries around the world. China and the United States were the two largest attack traffic sources, accounting for some 30% of this traffic in total. Akamai observed attack traffic targeted at 23 unique network ports. Many of the ports that saw the highest levels of attack traffic were targeted by worms, viruses, and bots that spread across the Internet several years ago. A number of major network “events” occurred during the first quarter that impacted millions of Internet users. Cable cuts in the Mediterranean Sea severed Internet connectivity between the Middle East and Europe, drastically slowing communications. Cogent’s de-peering of Telia
    impacted Internet communications for selected Internet users in the United States and Europe for a two-week period. A routing change by Pakistan Telecom that spread across the Internet essentially took YouTube, a popular Internet video sharing site, offline for several hours.

    May 24, 2008
    * Google Safe Browsing Diagnositic Tool

    Via Google Blogoscoped, "Google [has a] malware diagnosis service; just append any domain – your domain or another site you want to check on – to the end of the URL google.com/safebrowsing/diagnostic?site=, or paste a domain in the box below, and you will find an overview page listing potential problems like trojans or exploits (or the result may be telling you the site is OK)."

    May 23, 2008
    * FERC Chairman Testifies on Implications of Cyber Vulnerabilities on the Resiliency and Security of the Electric Grid Event

    Chairman Kelliher testified before the House Homeland Security Committee, Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology on Implications of Cyber Vulnerabilities on the Resiliency and Security of the Electric Grid

  • "The Congress made FERC responsible for overseeing the reliability of the bulk power system, but it provided specific restrictions on the procedures to be used to develop and put into effect mandatory reliability standards. [Section 215 of the Federal Power Act] is an adequate basis to protect the bulk power system against most reliability threats, and for that reason I do not believe there is a need to amend section 215. However, I believe a different statutory mechanism is needed to protect the grid against cyber security threats, given the nature of these threats."

  • May 06, 2008
    * Yahoo Announces Search Feature to Fight Malware

    Yahoo Search Blog: "Today, we're announcing the beta release of SearchScan, a new feature from Yahoo! Search that helps protect users from viruses, spyware and spam. We've heard from users that security and privacy continue to be major concerns when they are online. We've also learned that solutions that require downloads and constant updating are less than ideal. To tackle the problem, we partnered with McAfee to build a feature that provides a safer and hassle-free search experience to all users...How does it work? SearchScan leverages McAfee's SiteAdvisor technology to alert users if risky websites appear in Yahoo! Search results. Starting today, SearchScan will be turned on by default for all users in the U.S., Canada, UK, France, Italy, Germany, Australia, New Zealand, and Spain..."

    April 27, 2008
    * EU Backs Criminalizing Posting Bomb Making Instructions on Web

    European Digital Rights: "The European Ministers of Justice and Internal Affairs have agreed to make publishing bomb-making instructions on the Internet a crime...Justice and interior ministers from the EU member states backed a proposal from Commissioner Frattini to harmonise the normative acts that will make the "public provocation to commit a terrorist offence, recruitment, and training for terrorism" a crime. According to the statements of the EU officials publishing these acts on the Internet completed the European legislation in this domain. They described the Internet as "a virtual training camp for militants, used to inspire and mobilise local groups." Gilles de Kerchove, the EU anti-terrorism co-ordinator, declared that there are approx. 5,000 websites that are used to radicalise young people."

    April 26, 2008
    * International Privacy Officials Recommend Social Networking Privacy Safeguards

    EPIC: "The International Working Group On Data Protection in Telecommunications has released a report and guidance (pdf) on privacy in social networking services. The report identifies risks to privacy and security, and provides guidance to regulators, service operators and users to counter these risks. Risks include the large amount of data collection; the misuse of profile data by third parties; insecure infrastructure and application programming interfaces. Regulators should ensure openness, and oblige data breach notification. Providers must be transparent; live up to promises made to users; and use privacy friendly defaults. Privacy and consumer groups are also
    recommended to raise the awareness of regulators, providers and the general public."

  • Report and Guidance on Privacy in Social Network Services - ”Rome Memorandum” - 43rd meeting, 3-4 March 2008, Rome (Italy)

  • A brochure containing all documents adopted by the International Working Group until 2006 (in German and English) is available for download here.
  • April 18, 2008
    * Journal of Public Inquiry Fall/Winter 2007-2008

    The Inspectors General, Journal of Public Inquiry Fall/Winter 2007/08 (96 pages, PDF)

  • "The Journal is a semiannual publication of the President’s Council on Integrity and Efficiency (PCIE) and the Executive Council on Integrity and Efficiency (ECIE), which together includes 64 statutory Inspectors General who oversee stewardship in the federal government..We are pleased to present over a dozen entries ranging from essays, speeches and Georgetown University capstone papers. The entries encompass themes ranging from audit advisory committees, the
    role of inspectors general in Eastern Europe, pubic integrity and the importance of identity protection. The highlighted article in this version of the Journal is entitled, “Sunshine is the Best Antiseptic,” and outlines the work that the IG Community has done to improve transparency in government and identifies the challenges that lie ahead."
  • April 08, 2008
    * Treasury OIG Audit: Inadequate Security Controls Over Routers and Switches Jeopardize Sensitive Taxpayer Information

    Inadequate Security Controls Over Routers and Switches Jeopardize Sensitive Taxpayer Information, March 26, 2008. Reference Number: 2008-20-071

  • "Because the IRS sends sensitive taxpayer and administrative information across its networks, routers on the networks must have sufficient security controls to deter and detect unauthorized use. Access controls for IRS routers were not adequate, and reviews to monitor security configuration changes were not conducted to identify inappropriate use. A disgruntled employee, contractor, or hacker could reconfigure routers and switches to disrupt computer operations and steal taxpayer information in a number of ways, including diverting information to unauthorized systems."
  • April 03, 2008
    * FBI: Reported Dollar Loss from Internet Crime Reaches All-Time High

    News release: "According to the 2007 Internet Crime Report, the Internet Crime Complaint Center (IC3) received 206,884 complaints of crimes perpetrated over the Internet during 2007. Of the complaints received, more than 90,000 were referred to law enforcement around the nation, amounting to nearly $240 million in reported losses. This represents a $40 million increase in reported losses from complaints referred to law enforcement in 2006. All complaints received by IC3 are accessible to federal, state, and local law enforcement to support active investigations, trend analysis, and public outreach and awareness efforts."

    * New FTC Videos Help Consumers Spot Phishing Scams

    News release: "The Federal Trade Commission has released three 60-second videos to help alert consumers to phishing scams. Phishing uses deceptive spam to trick consumers into divulging sensitive or personal information, including credit card numbers and other financial data, through an email or a link to a “copycat” site. The goal of the videos is to offer practical, useful, and memorable messages. The videos are the newest tool on OnGuardOnline.gov, the agency’s multimedia initiative to help consumers be on guard against Internet fraud, secure their computers, and protect their personal information. The award-winning site features tips, articles, how-to videos, interactive quizzes, and tutorials in English and Spanish. The new videos also will be featured on YouTube and on the FTC Web site here."

    April 01, 2008
    * Cybercrime Legislation: EU Country Profiles

    Cybercrime Legislation - Country profiles: "These profiles have been prepared within the framework of the Council of Europe’s Project on Cybercrime in view of sharing information on cybercrime legislation and assessing the current state of implementation of the Convention on Cybercrime under national legislation. They do not necessarily reflect official positions of the countries covered or of the Council of Europe."

  • Octopus Interface 2008 - Cooperation against Cybercrime,
    Tuesday 1 - Wednesday 2 April 2008, Council of Europe, Strasbourg, France. "The 2008 Conference will focus on the cooperation between service providers and law enforcement, the state of cybercrime legislation and the effectiveness of international cooperation. In the face of the increasing vulnerability of societies to the threat of cybercrime the Conference provides a platform for enhancing cooperation among key stakeholders from around the world."
  • March 30, 2008
    * DHS Releases Privacy Technology Implementation Guide and Incident Handling Guidance

  • Privacy Technology Implementation Guide (PTIG), August 2007 (PDF, 36 pages): "The Privacy Office developed a new general guide for technology managers and developers to integrate privacy protections into operational IT systems. This new guide, the Privacy Technology Implementation Guide (PTIG) combines elements of privacy protection from disparate privacy compliance requirements, as well as a administrative policies and procedures into a single document, contextualized for managers and developers of operational systems. The PTIG is designed to allow each Component the flexibility to adapt privacy considerations to the way that Component does business while retaining a common DHS approach. The result is a new guide that provides early awareness of privacy issues and the aspects of systems that can be managed and developed to address privacy issues and streamline the process of complying with existing privacy protection requirements."
  • Privacy Incident Handling Guidance (PIHG), September 2007 (PDF, 109 pages): "The Department of Homeland Security (DHS) has a duty to safeguard personally identifiable information (PII) in its possession and to prevent the breach of PII in order to maintain the public’s trust. The Privacy Incident Handling Guidance (PIHG) serves this purpose by informing DHS organizations, employees, senior officials, and contractors of their obligation to protect PII and by establishing procedures delineating how they must respond to the potential loss or compromise of PII."
      Additional documents from the DHS Privacy Policy Guidance, Action Memorandum released:
    1. Attachment 2: Protecting & Handling Personnel-Related Data – Quick Reference Guide (PDF, 2 pages)
    2. Attachment 3: Verification and Confirmation Memorandum Templates (Self-Assessment and Training Certifications), (PDF, 2 pages)
    3. Attachment 4: DHS Employee Communication from Scott Charbo and Maureen Cooney regarding Data Security and Privacy, June 8, 2006 (PDF, 2 pages)
    4. Attachment 6: OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007 (PDF, 22 pages)
  • March 27, 2008
    * FTC Announces Settlement of Action Against Data Brokers Reed Elsevier and Seisint for Failing to Provide Adequate Security for Consumers' Data

    News release: "In the FTC’s action against data brokers Reed Elsevier (REI) and Seisint, the complaint alleges that REI - through its LexisNexis data broker business - and Seisint collect and store in databases information about millions of consumers, including names, current and prior addresses, dates of birth, drivers license numbers and Social Security numbers. They obtain information about consumers from credit reporting agencies and other sources, and sell products customers use online to find and retrieve the information from their databases. The companies relied on user IDs and passwords (or “user credentials”) to control customer access to consumer information in their databases."

  • In the Matter of Reed Elsevier Inc. and Seisint, Inc., FTC File No. 052-3094
  • March 25, 2008
    * The Financial Action Task Force Issues Terrorist Financing Report

    "The Financial Action Task Force (FATF) is an inter-governmental body whose purpose is the development and promotion of national and international policies to combat money laundering and terrorist financing."

  • FATF Terrorist Financing Report, March 14, 2008 (37 pages, PDF): "This study examines the means used by terrorists to raise funds and the wide variety of methods used to move money within and between organisations. The adaptability and opportunism shown by terrorist organisations suggests that all the methods that exist to move money around the globe are to some extent at risk."
  • March 22, 2008
    * Bank Tech Spending in 2008

    Exclusive TowerGroup Research Report: Bank Tech Spending in 2008: "Though banks’ IT budgets are likely to shrink if economic conditions worsen, demand for technologies that improve efficiency and integration, client engagement, and security and fraud management will continue, according to TowerGroup research."

    March 18, 2008
    * DOE OIG Audit Report: Management of the Department's Publicly Accessible Websites

    U.S. Department of Energy, Office of Inspector General, Office of Audit Services, Audit Report, Management of the Department's Publicly Accessible Websites, March 2008.

      "Our audit identified several opportunities to improve the security and management of the Department's publicly accessible websites. Specifically:
    • We identified over 50 significant cyber security incidents in the last three fiscal years, about half involving the defacement of web pages, which, in our judgment, could have been prevented had proper security controls been in place;
    • Content on publicly accessible web servers was not always controlled and reviewed periodically, contributing to an additional eight incidents which involved the exposure of personally identifiable information to unauthorized or malicious sources; and,
    • Most of the organizations reviewed also had not incorporated
      contingency/emergency planning features, provided accessibility for individuals with disabilities, and/or disabled unneeded computer services for their publicly accessible websites - factors that decreased the utility and increased the risk of malicious damage to those websites.

    * Study of Worldwide Airports Reveals Wireless Security Risks for Travelers and Airport Operations

    Press release: "...AirTight® Networks, the global leader for wireless intrusion prevention systems...issued the findings from its study to assess information security risk exposure of laptop users at fourteen airports in the United States, Canada and Asia. The company set out to understand the risks to business travelers and their corporate networks of data leakage while those airline passengers are sending sensitive information using unsecured wireless access points while at the airports. It found surprising results, however, regarding the security posture of private Wi-Fi networks in these airports as well as the rapid spread of viral Wi-Fi networks.

    One of the most surprising findings of this initial study was that some ticketing systems, baggage systems, shops and restaurants were using open or poorly secured wireless networks. Of the Wi-Fi networks detected by AirTight researchers, 77 percent were non-hotspot (i.e. private) networks and of those, 80 percent were unsecured or using legacy WEP encryption, a fatally flawed protocol. Based on detailed analysis of these access points, there is a high probability that some of these networks are used for critical airport logistics and operations. The consequences of this lack of security could result in disruption of baggage or passenger ticketing systems."

    March 10, 2008
    * DHS Fact Sheet: Cyber Storm II National Cyber Exercise

    DHS Fact Sheet: Cyber Storm II National Cyber Exercise - "In March 2008, the Department of Homeland Security’s National Cyber Security Division (NCSD) will sponsor its second large-scale national cyber exercise, Cyber Storm II. Planned in close coordination with and driven by its stakeholders and participants, the exercise will center on a cyber-focused scenario that will escalate to the level of a cyber incident requiring a coordinated Federal response. Exercises such as Cyber Storm II are critical in maintaining and strengthening cross-sector, inter-governmental and international relationships, enhancing processes and communications linkages, as well as ensuring continued improvement to cyber security procedures and processes. Cyber Storm II is part of Homeland Security's ongoing risk-based management effort to use exercises to enhance government and private sector response to a cyber incident, promote public awareness, and reduce cyber risk within all levels of government and the private sector."

    March 06, 2008
    * HHS OIG: Proposed Revisions to Existing Privacy Act Systems of Records: Federal Register Notice

    HSS Office of Inspector General Privacy Act of 1974; Revisions to OIG’s Privacy Act System of Records: Criminal Investigative Files, Federal Register, March 4, 2008.

  • Action: Notice of proposed revisions to existing Privacy Act systems of records. OIG has reviewed and is now proposing to revise the criminal investigative file system of records by (1) amending the "Routine Uses of Records Maintained in the System" section by adding a new paragraph o. to address the requirement for a routine use for the disclosure of information in the investigation of data breaches of
    Personally Identifiable Information, in accordance with Office of Management and Budget Memorandum M–07–16; and (2) amending the "Policies and Practices for Storing, Retrieving, Reviewing, Retaining, and Disposing of Records in the Storage System" portion of the system of records to update the discussion on access methods for the mainframe and the storage location of data so that it is consistent with current technology."
  • March 02, 2008
    * Measuring Identity Theft at Top Banks (Version 1.0)

    Chris Hoofnagle, Measuring Identity Theft at Top Banks (Version 1.0) February 26, 2008. Berkeley Center for Law and Technology. Law and Technology Scholarship (Selected by the Berkeley Center for Law & Technology). Paper 44.

  • "There is no reliable way for consumers, regulators, and businesses to assess the relative incidence of identity fraud at major financial institutions. This lack of information prevents more vigorous competition among institutions to protect account holders from identity theft. As part of a multiple strategy approach to obtaining more actionable data on identity theft, the Freedom of Information Act was used to obtain complaint data submitted by victims in 2006 to the Federal Trade Commission. This complaint data identifies the institution where impostors established fraudulent accounts or affected existing accounts in the name of the victim. The data show that some institutions have a far greater incidence of identity theft than others. The data further show that the major telecommunications companies had numerous identity theft events, but a metric is lacking to compare this industry with the financial institutions. This is a first attempt to meaningfully compare institutions on their performance in avoiding identity theft. This analysis faces several challenges that are described in the methods section."
  • * Data Breach Notification Laws, State By State

    Data Breach Notification Laws, State By State, by Scott Berinato, "More than five years after California's seminal data breach disclosure law, SB 1386, was enacted, not all states have followed suit. Eleven states still have not passed laws mandating that companies notify consumers when that company has lost the consumer's personal data. One state, Oklahoma, does have a breach notification law, but it only applies to state entities that have lost data. That leaves 38 states that have enacted some sort of breach disclosure law. This map will help you sort them out."

    March 01, 2008
    * EU Safer Internet Plus Programme

    "The Safer Internet plus programme aims to promote safer use of the Internet and new online technologies, particularly for children, and to fight against illegal content and content unwanted by the end-user, as part of a coherent approach by the European Union."

  • Make the internet a safer place, February 2008: While the international context is complex, the EU has set certain standards across Europe, clarifying many legal issues. The internet related issues, however, cannot be tackled by legal measures alone, and are generally greater than parents realise. With broadband access growing – both via PCs and ‘third generation’ (3G) mobile phones – and as the internet becomes an increasingly important part of children’s lives, these figures are not likely to become less disturbing without
    concerted action."
  • February 25, 2008
    * Snowe Introduces Bi-Partisan Legislation Aimed at Protecting Nation's Internet Users

    News release: "A bi-partisan group of Senators from the Commerce, Science and Transportation Committee led by U.S. Senators Olympia J. Snowe (R-Maine), Bill Nelson (D-Florida) and the Committee’s Ranking Member Ted Stevens (R-Alaska), introduced today bi-partisan legislation aimed at ending the deceptive practice known as phishing. The Anti-Phishing Consumer Protection Act of 2008 would prohibit phishing – the deceptive solicitation of a consumer’s personal information through the use of emails, instant messages, and misleading websites that trick recipients into divulging their information for the purpose of identity theft. The legislation would also prohibit related abuses, such as the practice of using fraudulent or misleading domain names, by defining them as deceptive practices under the FTC Act."

    February 24, 2008
    * Research Paper: Cold Boot Attacks on Encryption Keys

    Lest We Remember: Cold Boot Attacks on Encryption Keys, J. Alex Haldermany, Seth D. Schoenz, Nadia Heningery, William Clarksony, William Paulx, Joseph A. Calandrinoy, Ariel J. Feldmany, Jacob Appelbaum, and Edward W. Felteny. Princeton University, Electronic Frontier Foundation, Wind River Systems. February 21, 2008.

    • Introductory blog post

    • Frequently asked questions

    • Experiment guide

    • Videos and images

    • Abstract: "Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at room temperature and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount successful attacks on popular disk encryption systems using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them."

    February 13, 2008
    * FTC Releases List of Top Consumer Fraud Complaints in 2007

    "The FTC today released the list of top consumer fraud complaints received by the agency in 2007. The list, contained in the publication Consumer Fraud and Identity Theft Complaint Data January-December 2007, showed that for the seventh year in a row, identity theft is the number one consumer complaint category. Of 813,899 total complaints received in 2007, 258,427, or 32 percent, were related to identity theft.

    The report breaks out complaint data on a state-by-state basis and also contains data about the 50 metropolitan areas reporting the highest per capita incidence of fraud and the 50 metropolitan areas reporting the highest incidence of identity theft.

    The report states that credit card fraud was the most common form of reported identity theft at 23 percent, followed by utilities fraud at 18 percent, employment fraud at 14 percent, and bank fraud at 13 percent.

    Consumers reported fraud losses totaling more than $1.2 billion; the median monetary loss per person was $349, the report states.


    February 11, 2008
    * Educational Security Incidents (ESI) Year in Review - 2007

    Educational Security Incidents (ESI) Year in Review - 2007: "By Adam Dodge - Posted on February 10, 2008: "The ESI Year in Review - 2007 examines all of the information security incidents occurring at colleges and universities around the world as reported in the news during 2007. 2007 marked a significant change for information security incidents reported in the news. Among the changes are an increase in both the number of incidents reported and the number of institutions reporting a breach as well as the addition to new categories such as incident type "Employee Fraud" and information type "Username and Password".

    February 10, 2008
    * One person in eight in the EU27 avoids e-shopping because of security concerns

    Press release: "In connection with the 5th Safer Internet Day1 on 12 February 2008, Eurostat, the Statistical Office of the European Communities, presents a selection of statistics concerning internet activities, security concerns and virus attacks. The Safer Internet Day is part of a global drive to promote a safer Internet for all users, in particular younger people, and is organised by Insafe, a European internet safety network co-funded by the European Commission...In the EU27 in 2007, nearly a quarter of internet users had had a computer virus in the preceding 12 months, which resulted in a loss of information or time. Virus attacks were most frequent in Lithuania (41% of users), Slovenia (35%) and Malta (34%) and least common in the Czech Republic (7%), Estonia (15%) and Sweden (16%)."

    February 06, 2008
    * Cisco Study on Remote Workers Reveals Need for Greater Diligence Toward Security

    "Cisco® today announced key findings from its annual global study on remote workers' security awareness and online behavior, indicating how they can inadvertently heighten risks for themselves and the companies they work for. The study's findings are prompting Cisco security executives to offer recommendations to information technology (IT) professionals on how to protect their companies against threats and maximize the business benefits of distributed and mobile workforces."

    February 05, 2008
    * DNI Statement for the Record - Senate Intelligence Committee Hearing

    Annual Threat Assessment of the Director of National Intelligence for the Senate Select Committee on Intelligence, February 5, 2008, J. Michael McConnell, Director of National Intelligence (47 pages, PDF).

  • "You will see from the testimony that many of the key topics I touch on are not traditional “national security” topics. Globalization has broadened the number of threats and challenges facing the United States. For example, as government, private sector, and personal activities continue to move to networked operations and our digital systems add ever more capabilities, our vulnerability to penetration and other hostile cyber actions grows. The nation, as I indicated last year, requires more from our Intelligence Community than ever before and consequently we need to do our business better, both internally, through greater collaboration across disciplines and externally, by engaging more of the expertise available outside the Intelligence Community."
  • February 04, 2008
    * FBI Identifies Recurring Fraudulent E-mail Scam

    Press release: "The FBI has recently developed information indicating cyber criminals are attempting to once again send fraudulent e-mails to unsuspecting recipients stating that someone has filed a complaint against them or their company with the Department of Justice or another organization such as the Internal Revenue Service, Social Security Administration, or the Better Business Bureau."
    Related resources:

  • FBI's New E-Scams & Warnings website

  • The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C).
  • February 01, 2008
    * Privacy Rights Clearinghouse: A Chronology of Data Breaches

    A Chronology of Data Breaches, updated January 30, 2008

    January 31, 2008
    * Minimizing the Effect of Malware on Your Computer: FTC Offers Information on Protecting, Reclaiming Your Computer

    "Criminals are hard at work thinking up creative ways to get malware on your computer, warns the Federal Trade Commission. With appealing Web sites, desirable downloads, and compelling stories, these criminals try to lure consumers to links that will download malware, especially on computers that don’t use adequate security software. Then, they use the malware – malicious software – to steal personal information, send spam, and commit fraud. A new publication from the FTC has information that could help consumers protect their computers against malware and reclaim their computer and electronic information if malware is already on their computer. The publication, Minimizing the Effects of Malware, provides tips on spotting malware, and urges consumers to act immediately if they suspect their computer is affected by malware."

    January 19, 2008
    * FERC Approves New Reliability Standards for Cyber Security

    "The Federal Energy Regulatory Commission (FERC) approved eight new mandatory critical infrastructure protection (CIP) reliability standards to protect the nation’s bulk power system against potential disruptions from cyber security breaches. These reliability standards were developed by the North American Electric Reliability Corporation (NERC), which FERC has designated as the electric reliability organization (ERO)...The final rule, Mandatory Reliability Standards for Critical Infrastructure Protection, takes effect 60 days from the later of either the date Congress receives the agency notice of the rule, or the date the rule is published in the Federal Register."

    The eight CIP reliability standards address the following topics:
    * Critical Cyber Asset Identification;
    * Security Management Controls;
    * Personnel and Training;
    * Electronic Security Perimeters;
    * Physical Security of Critical Cyber Assets;
    * Systems Security Management;
    * Incident Reporting and Response Planning; and
    * Recovery Plans for Critical Cyber Assets.

    January 18, 2008
    * SANS Reports CIA Confirms Cyber Attack Caused Multi-City Power Outage

    SANS NewsBites - Volume: X, Issue: 5

  • "On Wednesday, in New Orleans, US Central Intelligence Agency senior analyst Tom Donahue told a gathering of 300 US, UK, Swedish, and Dutch government officials and engineers and security managers from electric, water, oil & gas and other critical industry asset owners from all across North America, that "We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."
  • * USA*Engage and NFTC Call SEC's Activity on Enhanced Access to Company Disclosures 'Inappropriate'

    Press release: "USA*Engage and the National Foreign Trade Council (NFTC) today sent formal comments to the U.S. Securities and Exchange Commission (SEC), recommending that the Commission reconsider its proposal to further develop mechanisms to facilitate greater access to companies’ disclosures concerning their business activities in or with certain countries designated as “state sponsors of terrorism.” In comments sent to the SEC, the associations noted that U.S. companies operating in such countries are conducting legal, legitimate business, and that the proposed mechanism actually punishes those companies who are most transparent."

    January 12, 2008
    * Keep Your Enemies Close: Distance Bounding Against Smartcard Relay Attacks

    Keep Your Enemies Close: Distance Bounding Against Smartcard Relay Attacks, by Saar Drimer and Steven J. Murdoch, Computer Laboratory, University of Cambridge

  • "Modern smartcards, capable of sophisticated cryptography, provide a high assurance of tamper resistance and are thus commonly used in payment applications. Although extracting secrets out of smartcards requires resources beyond the means of many would-be thieves, the manner in which they are used can be exploited for fraud. Cardholders authorize financial transactions by presenting the card and disclosing a PIN to a terminal without any assurance as to the amount being charged or who is to be paid, and have no means of discerning whether the terminal is authentic or not. Even the most advanced smartcards cannot protect customers from being defrauded by the simple relaying of data from one location to another. We describe the development of such an attack, and show results from live experiments on the UK’s EMV implementation, Chip & PIN. We discuss previously proposed defences, and show that these cannot provide the required security assurances. A new defence based on a distance bounding protocol is described and implemented, which requires only modest alterations to current hardware and software. As far as we are aware, this is the first complete design and implementation of a secure distance bounding protocol. Future smartcard generations could use this design to provide cost-effective resistance to relay attacks, which are a genuine threat to deployed applications. We also discuss the security-economics impact to customers of enhanced authentication mechanisms."

  • January 02, 2008
    * Open Access to Personal Data on E-Gov Sites Expose Citizens to ID Theft

    Washington Post, Online Records May Aid ID Theft, Government Sites Post Personal Data, By Bill Brubaker: "Social Security numbers are readily available in many courthouses -- in land records and criminal and civil case files -- as well as on many government Web sites that serve up public documents with a few clicks of a mouse. From state to state, and even within states, there is little uniformity in how access to the private information in these records is controlled."

    December 29, 2007
    * OSAC Activity Report: November 2007

    US State Department's Overseas Security Advisory Council (OSAC) Activity Report: November 2007

  • AP: US State Department issues Top 10 list of security threats for US businesses: "...Intellectual property theft, terrorism, natural disasters and political instability were listed as the most serious security challenges in Asia."
  • December 28, 2007
    * FTC Issues Staff Report on Malicious Spam and Phishing

    Press release: "In a new report, the Federal Trade Commission staff describes findings from its July 2007 workshop, “Spam Summit: The Next Generation of Threats and Solutions” and proposes follow-up action steps that stakeholders can adopt to mitigate the harmful effects of malicious spam and phishing. In addition to proposing action steps for stakeholders, the report provides an overview of the agency’s decade-long role in protecting consumers from the threats of fraudulent spam and phishing. The report also announces results from staff’s 2007 Harvesting and Filtering Study, which suggest that Internet service providers’ spam filters continue to serve an integral role in reducing the amount of spam that reaches consumers’ in-boxes."

  • Spam Summit: The Next Generation of Threats and Solutions (39 pages, PDF)
  • December 26, 2007
    * 2007 Annual Study: U.S. Cost of a Data Breach

    Ponemon 2007 Annual Study: U.S. Cost of a Data Breach - Understanding Financial Impact, Customer Turnover, and Preventitive Solutions: This study "was derived from a detailed analysis of 35 data breach incidents. According to the study, the cost per compromised customer record increased in 2007, compared to 2006. Lost business opportunity, including losses associated with customer churn and acquisition, represented the most significant component of the cost increase. Companies analyzed were from 16 different industries, including communications, consumer goods, education, entertainment, financial services, gaming, health care, hospitality, internet, manufacturing, marketing, media, retail, services, technology, and transportation."

    December 17, 2007
    * Management Challenges at the Department of Energy

    DOE OIG Special Report: Management Challenges at the Department of Energy, December 2007

  • "Based on work performed by the Office of Inspector General over the past year, the following represent the most serious challenges facing the Department of Energy: Contract Management, Cyber Security, Environmental Cleanup, Human Capital Management, Project Management
    Safeguards and Security, Stockpile Stewardship."
  • December 11, 2007
    * Widespread Use and Availability of Social Security Numbers Puts Americans at Risk for ID Theft

    Press release: "The widespread use and availability of Social Security numbers puts Americans at risk for identity theft and should be restricted, according to Consumers Union, nonprofit publisher of Consumer Reports. The group urged policymakers to take action to protect consumers as part of a public forum on the issue organized by the Federal Trade Commission in conjunction with the President’s Identity Theft Task Force. Social Security numbers are particularly sensitive information because they can provide the key to unlocking a consumer’s financial identity... Jeannine Kenney, Senior Policy Analyst with Consumers Union...presented findings of a Consumer Reports National Research Center poll at the FTC forum showing that 89 percent of Americans want state and federal lawmakers to restrict the use and availability of Social Security numbers by businesses and government agencies. The poll also found that nearly all consumers want the right to freeze access to their credit files to prevent new account fraud. Currently 39 states and the District of Columbia give consumers the right to a security freeze and the three major credit bureaus have made the freeze available to consumers in the remaining states."

  • Also from Consumers Union, more information about the Social Security number privacy bills pending in Congress
  • December 05, 2007
    * CRS Report - Botnets, Cybercrime, and Cyberterrorism

    Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress, Updated November 15, 2007. "Cybercrime is becoming more organized and established as a transnational business. High technology online skills are now available for rent to a variety of customers, possibly including nation states, or individuals and groups that could
    secretly represent terrorist groups. The increased use of automated attack tools by cybercriminals has overwhelmed some current methodologies used for tracking Internet cyberattacks, and vulnerabilities of the U.S. critical infrastructure, which are acknowledged openly in publications, could possibly attract cyberattacks to extort money, or damage the U.S. economy to affect national security...This report discusses options now open to nation states, extremists, or terrorist groups for obtaining malicious technical services from cybercriminals to meet political or military objectives, and describes the possible effects of a coordinated cyberattack against the U.S. critical infrastructure."

    December 02, 2007
    * Awareness of Security Freeze Legislation and Use of Security Freezes by Consumers Age 18+

    Awareness of Security Freeze Legislation and Use of Security Freezes by Consumers Age 18+ Research Report, Jennifer H. Sauer, M.A., AARP Knowledge Management, Neal Walters, AARP Public Policy Institute, November 2007

  • "All but eleven states have enacted Security Freeze laws designed to protect consumers from identity theft. These laws give consumers the right to block their credit report from the view of others. This April-May 2007 AARP telephone survey explores the awareness of security freezes and the use of such freezes among consumers aged 18 and over living in California, Connecticut, Louisiana, Maine, Nevada, New Jersey, and North Carolina. In these selected states, the security freeze laws have been in effect for at least one year and they allow all consumers to place a security freeze on their credit report."
  • November 29, 2007
    * Annual McAfee Virtual Criminology Report

    McAfee Virtual Criminology Report - Cybercrime: The Next Wave - The annual McAfee global cyber trends study into organized crime and the Internet in collaboration with leading international security experts, November 2007.

  • "For this report we consulted with more than a dozen security specialists at top institutions such as NATO, the FBI, SOCA, the Center for Education and Research in Information Assurance and Security (CERIAS), the International Institute for Counter -Terrorism in Israel and the London School of Economics. These experts are also on the front lines in the fi ght against cybercrime every day, and we asked for their insights on the state of this dangerous underworld - as well as their predictions on where it’s going next...the experts agree that cybercrime has evolved significantly in complexity and scope. Espionage. Trojans. Spyware. Denial-of-service attacks. Phishing scams. Botnets. Zero-day exploits. The unfortunate reality is that no one is immune from this malicious industry’s reach — individuals, businesses, even governments. As the world has flattened, we’ve seen a signifi =cant amount of emerging threats from increasingly sophisticated groups attacking organizations around the world. And it’s only going to get worse..."

  • November 27, 2007
    * FTC Releases Survey of Identity Theft in the U.S. Study Shows 8.3 Million Victims in 2005

    Press release: "The Federal Trade Commission today released a survey showing that 8.3 million American adults, or 3.7 percent of all American adults, were victims of identity theft in 2005. Of the victims, 3.2 million, or 1.4 percent of all adults, experienced misuse of their existing credit card accounts; 3.3 million, or 1.5 percent, experienced misuse of non-credit card accounts; and 1.8 million victims, or 0.8 percent, found that new accounts were opened or other frauds were committed using their personal identifying information."

  • Federal Trade Commission: 2006 Identity Theft Survey Report: Prepared for the Commission by Synovate (November 2007)
  • November 21, 2007
    * UK Government Loses Personal Data on 25 Million Citizens

    20 November 2007, Statement to the House of Commons by Chancellor of the Exchequer, Alistair Darling, MP, on HMRC

  • "With your permission Mr Speaker I should like to make a statement on the breach of procedures which led to missing personal data relating to child benefit from Her Majesty's Revenue and Customs...The National Audit Office - which is independent of Government, but answerable to Parliament - has a right to ask for and access data from HMRC in discharging its compliance responsibilities. In March of this year it appears that a junior official within HMRC provided the National Audit Office with a full copy of HMRC's data in relation to the payment of child benefit [The missing information contains details of all child benefit recipients: records for 25 million individuals and 7.25 million families. These records include the recipient and their children's names, addresses and dates of birth, it includes Child Benefit numbers, National Insurance Numbers, and, where relevant, bank or building society account details]. In doing so it is clear that the strict rules governing HMRC standing procedures were not followed. These procedures relate to the security and access to data as well as its transit to ensure that data is properly protected. This information should not have been handed over by HMRC in the way that it was. However, I understand that in this case the NAO subsequently returned all the information it received in March to HMRC after auditing it. It now appears that following a further request from the NAO in October for information from the Child Benefit database, and again at a junior level and again contrary to all HMRC standing procedures, two password protected discs containing a full copy of HMRC's entire data in relation to the payment of child benefit was sent to the NAO, by HMRC's post system operated by the courier TNT. The package was not recorded or registered. Mr Speaker, it appears the data has failed to reach the addressee in the NAO. Mr Speaker, I also have to tell the House that on finding that the package had not arrived at the NAO, a further copy of this data was sent, this time by registered post, and which did arrive at the NAO. However, again HMRC should never have let this happen. Although it is believed the data was sent from HMRC to the NAO on 18 October, the fact it did not arrive it was not reported to HMRC's senior management until 8 November, nearly 3 weeks later. I was informed on Saturday 10 November and immediately instructed that comprehensive searches be carried out of all premises where the missing data might be found. These searches are continuing...On Monday 12 November HMRC informed me that evidence might have had been found of the route taken by the data and that the data was likely to be found. However, by Wednesday 14 November it was clear to me that the HMRC searches had failed to find them. I therefore instructed the Chairman of HMRC to call in the Metropolitan Police to conduct a full investigation in order to find the missing package."
  • November 14, 2007
    * National Fraud Awareness Week, November 11-17, 2007

    "Fraud Awareness Week is dedicated to promoting fraud awareness and educating businesses and the public about the growing global impact of fraud. Therefore, this is an appropriate time to address and promote basic steps that can be taken to recognize, report, and reduce the risk of becoming a victim of fraudulent activities. In recognition of Fraud Awareness Week, NCJRS presents this online compilation of resources addressing fraud:

  • Prevention and Education, October 2007

  • Resources for Victims

  • Investigation and Enforcement

  • See also National Criminal Justice Reference Service - Investigative Uses of Technology: Devices, Tools and Techniques (169 pages, PDF)
  • November 12, 2007
    * Dark Web Terrorism Research Sponsored by University of Arizona

    The University of Arizona Artificial Intelligence Lab Dark Web project: "Based on our actual spidering experience over the past 5 years, we believe there are about 50,000 sites of extremist and terrorist content as of 2007, including: web sites, forums, blogs, social networking sites, video sites, and virtual world sites (e.g., Second Life). The largest increase in 2006-2007 is in various new Web 2.0 sites (forums, videos, blogs, virtual world, etc.) in different languages (i.e., for home-grown groups, particularly in Europe). We have found significant terrorism content in more than 15 languages...We believe our Dark Web collection is the largest open-source extremist and terrorist collection in the academic world."

    November 01, 2007
    * Consumers Union Online Guide to ID Theft Safeguards

    Press release: "Starting November 1, consumers in all 50 states will be able to freeze access to their credit files at all three major credit bureaus to prevent identity thieves from opening fraudulent accounts in their names. By that date, all three major credit bureaus will offer “security freeze” protection to all consumers living in the eleven states that have not passed laws requiring it and the five states that currently limit this protection to identity theft victims. To help consumers learn how to take advantage of this powerful identity theft safeguard, Consumers Union, the nonprofit publisher of Consumer Reports, is making available online an updated Guide to Security Freeze Protection."

    October 31, 2007
    * Agencies Issue Final Rules on Identity Theft Red Flags and Notices of Address Discrepancy

    Text of the Federal Register Notice [256 pages, PDF] - Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003: 16 C.F.R. Part 681 (Federal Trade Commission Rule): Joint Final Rules and Guidelines of the Office of the Comptroller of the Currency, Treasury; the Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation; the Offfice of Thrift Supervision, Treasury; the National Credit Union Administration; and the Federal Trade Commission.

    October 21, 2007
    * CDT Comments on FTC's Spyware Principles

    CDT: "As it seeks models to address the mounting issues surrounding online behavioral targeting, the Federal Trade Commission (FTC) should begin by applying the principles it developed to guide its anti-spyware enforcement efforts, CDT said today. In comments submitted to the FTC in advance of its upcoming "town hall" meeting on behavioral advertising, CDT pointed out that the FTC's principles -- which center around the core concept that consumers should have ultimate control over their computers -- are directly applicable to behavioral advertising. In addition to filing its own comments, CDT also joined with other public interest advocates in offering a list of important questions the FTC must address over the course of the two-day meeting."

    October 16, 2007
    * New Bill To Add And Toughen Penalties For ID Theft And Fraud

    Press release, October 16, 2007: "Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) and Ranking Member Arlen Specter (R-Pa.) today introduced the bipartisan Identity Theft Enforcement and Restitution Act of 2007 to give federal prosecutors important new tools to combat the growing problem of identity theft and cyber crime.

    The Identity Theft Enforcement and Restitution Act of 2007 would:

  • Give victims of identity theft the ability to seek restitution for the loss of time and money spent restoring credit and remedying the harms of identity theft;
  • Expand the jurisdiction of federal computer fraud statutes to cover small businesses and corporations;

  • Eliminate the prosecutorial requirement that sensitive identity information must have been stolen through an interstate or foreign communication and instead focuses on whether the victim’s computer is used in interstate or foreign commerce, allowing for the prosecutions of cases in which both the identify thief’s computer and the victim’s computer are located in the same state;

  • Make it a felony to employ spyware or keyloggers to damage ten or more computers regardless of the aggregate amount of damage caused, ensuring that the most egregious identity thieves will not escape with a minimal, or no, sentence;

  • Eliminate the requirement that the loss resulting from damage to a victim’s computer must exceed $5,000; under this bill violations resulting in less than $5,000 damage would be criminalized as misdemeanors;

  • Add the crime of threatening to obtain or release information from a protected computer to the definition of a cyber crime and expands the definition of a cyber crime to include demanding money in relation to a protected computer, where the damage to the victim computer was caused to facilitate the extortion..."

  • October 11, 2007
    * PhishTank Annual Report: U.S. telecoms hosting phishes; OpenDNS offering a solution

    Press release: "With a full twelve months under our belt, today OpenDNS published the first-ever PhishTank annual report. The report looks at the more than 300,000 phishes you’ve submitted and helped verify over the course of one year. While some of the report’s findings come as no surprise (e.g., PayPal and eBay round out the top of the list of most spoofed brands), some are alarming. Perhaps the most important finding, and the one that drove us to come up with a fix, is that U.S. telecoms are hosting more phishes than telecoms in any other country."

    * Guidelines on Securing Public Web Servers, Version 2

    National Institute of Standards and Technology, Computer Security Division: "SP 800-44 version 2, Guidelines on Securing Public Web Servers, is published as final. It is intended to aid organizations in the installation, configuration, and maintenance of secure public Web servers. It presents recommendations for securing Web server operating systems, applications, and content; protecting Web servers through the supporting network infrastructure; and administering Web servers securely. SP 800-44 version 2 also provides guidance on using authentication and encryption technologies to protect information on Web servers."

    October 08, 2007
    * Deloitte 2007 Global Security Survey

    "Two of the key findings from this year’s Global Security Survey revolve around an organization’s people and a paradox that has been around for years. The weakest link in an organization’s security is its people. An organization’s people include employees, customers, third parties and business partners. And of those people, the highest number of breaches are perpetrated via the customer. Even though information security incidents are grabbing the attention of business executives and boards, these individuals do not yet feel that they “own” the problem. In their estimation, the execution of solutions is the mandate of IT. This information security paradox has been alive and well for years; the 2007 security survey confirms just how widespread it is."

  • Deloitte 2007 Global Security Survey (48 pages, PDF)

  • October 04, 2007
    * National Southwest Border Counternarcotics Strategy

    National Southwest Border Counternarcotics Strategy - Unclassified Summary, October 2007

  • "The President's National Drug Control Strategy seeks to disrupt the illicit drug industry as close to the source as possible. As a companion to the National Drug Control Strategy, this Strategy directs U.S. efforts to intercept drug shipments that manage to evade the robust international counterdrug efforts in the source zone and transit zone, thereby contributing to a layered defense of the homeland. This Strategy aims to improve Federal counterdrug efforts on the Southwest Border in the following areas: intelligence collection and information sharing, interdiction at and between ports of entry, aerial surveillance and interdiction of smuggling aircraft, investigations and prosecutions, countering financial crime, and cooperation with Mexico."
  • * European Security Research Agenda: European Commission Working documents

    European Security Research Agenda: European Commission Working documents: Public-Private Dialogue in Security Research and Innovation: Summary of the Impact Assessment (SEC (2007); Public-Private Dialogue in Security Research and Innovation: Impact Assessment (SEC (2007)

  • See also Security research to better combat terrorism

  • September 26, 2007
    * National Cyber Security Awareness Month 2007

    StaySafeOnline.org: "The National Cyber Security Alliance (NCSA), a consortium of government agencies and private industry sponsors, is proud to designate October 2007 as National Cyber Security Awareness Month (NCSAM). National Cyber Security Awareness Month is a national campaign designed to increase the public's awareness of cyber security and cyber crime issues so that users can take precautions to avoid these threats on the Internet. The month will feature a number of initiatives including public relations activities, educational programs and events that target Home Users, Small Businesses, Education audiences (K-12 and higher education), and Child Safety online."

    September 24, 2007
    * Thompson, Langevin Demand Investigation into Department Cyber Attacks

    Press release: "Committee on Homeland Security Committee Chairman Bennie G. Thompson (D-MS) and Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology Chairman James R. Langevin (D-RI) sent a letter on Friday to Richard L. Skinner, Inspector General of the Department of Homeland Security to request an investigation into cyber attacks on the Department initiated by foreign entities and relating to incompetent and possibly illegal activity by the contractor charged with maintaining security on its networks. Links to the letter and its enclosure."

    * Cuomo Subpoenas Facebook Over User Safety

    Press release: "Attorney General Andrew Cuomo announced today that his office is investigating Facebook over representations the company makes about safety measures in place on its website. In a letter accompanying a subpoena for docume