Citizen Lab [University of Toronto] "released a new report, For Their Eyes Only: The Commercialization of Digital Spying. The report features new findings, as well as consolidating a year of our research on the commercial market for offensive computer network intrusion capabilities developed by Western companies. Our new findings include:
Privacy Impact Assessment for the Office of Operations Coordination and Planning - Publicly Available Social Media Monitoring and Situational Awareness Initiative, DHS, Update April 1, 2013
EPIC: "New documents obtained by EPIC in a Freedom of Information Act lawsuit reveal that the Department of Defense advised private industry on how to best circumvent federal wiretap law. The documents concern a collaboration between the Defense Department, the Department of Homeland Security, and private companies to allow government monitoring of private Internet networks. Though the program initially only applied to defense contractors, an Executive Order issued by the Obama administration earlier this year expanded it to include other "critical infrastructure" industries. The documents obtained by EPIC also cited NSPD 54 as one source of authority for the program. NSPD 54 is a presidential directive issued under President Bush that EPIC is pursuing in separate FOIA litigation. For more information, see EPIC: EPIC v. DHS (Defense Contractor Monitoring), and EPIC: EPIC v. NSA - Cybersecurity Authority."
"Verizon’s 2013 Data Breach Investigations Report (DBIR) provides truly global insights into the nature of data breaches that can help organizations of all sizes to better understand the threat and take the necessary steps to protect themselves. The breadth and depth of data represented in this year’s DBIR is unprecedented. It combines the efforts of 19 global organizations: law enforcement agencies, national incident-reporting entities, research institutions, and a number of private security firms — all working to study and combat data breaches. Over the years the number of contributors has grown. Since we started publishing the DBIR in 2008, our partners have contributed data information on more than 2,500 confirmed data breaches — totaling more than a billion compromised records."
"Dozens of journalists sifted through millions of leaked records and thousands of names to produce ICIJ’s investigation into offshore secrecy. "A cache of 2.5 million files has cracked open the secrets of more than 120,000 offshore companies and trusts, exposing hidden dealings of politicians, con men and the mega-rich the world over. The secret records obtained by the International Consortium of Investigative Journalists lay bare the names behind covert companies and private trusts in the British Virgin Islands, the Cook Islands and other offshore hideaways. They include American doctors and dentists and middle-class Greek villagers as well as families and associates of long-time despots, Wall Street swindlers, Eastern European and Indonesian billionaires, Russian corporate executives, international arms dealers and a sham-director-fronted company that the European Union has labeled as a cog in Iran’s nuclear-development program. The leaked files provide facts and figures — cash transfers, incorporation dates, links between companies and individuals — that illustrate how offshore financial secrecy has spread aggressively around the globe, allowing the wealthy and the well-connected to dodge taxes and fueling corruption and economic woes in rich and poor nations alike. The records detail the offshore holdings of people and companies in more than 170 countries and territories."
"The latest volume of the Security Intelligence Report (SIR) highlights the importance of using antivirus software. Antivirus software helps protect your computer from malicious software (malware) and can be downloaded or installed inexpensively or at no charge. Still, according to the SIR v14 findings, 24 percent of computers worldwide were not running up-to-date antivirus software, leaving them 5.5 times more likely to be infected with viruses."
EPIC:
Cybersecurity: Selected Legal Issues, April 17, 2013.
2013 Internet Security Threat Report - "Key Findings:
Markus Selinger: "A detailed AV-TEST study recently revealed that although search engine operators such as Google and Bing make a lot of effort to avoid doing so, they sometimes deliver websites infected with Trojans and similar malware among their top search results. Other search engines do an even worse job. Malware developers are now putting more and more effort into their work, for example in order to distribute their spyware programs or Trojans. They therefore exploit search engines for their own purposes and sneak infected websites into the top results delivered to users. The trick used by these criminals is actually very simple: they first create a multitude of small websites and blogs before selecting the most frequently used search terms from top news stories and using backlinks to optimise these terms for search engines. This process of optimising websites for search engines, known as SEO (search engine optimisation) for short, is used by all major website operators to ensure that their sites are easier to find. The way to ensure that a web site is the quickest to be found is to achieve a place in the top ten search results delivered by Bing or Google."
R&D News: "In a development that could make the advanced form of secure communications known as quantum cryptography more practical, University of Michigan researchers have demonstrated a simpler, more efficient single-photon emitter that can be made using traditional semiconductor processing techniques. Single-photon emitters release one particle of light, or photon, at a time, as opposed to devices like lasers that release a stream of them. Single-photon emitters are essential for quantum cryptography, which keeps secrets safe by taking advantage of the so-called observer effect: The very act of an eavesdropper listening in jumbles the message. This is because in the quantum realm, observing a system always changes it. For quantum cryptography to work, it's necessary to encode the message—which could be a bank password or a piece of military intelligence, for example—just one photon at a time. That way, the sender and the recipient will know whether anyone has tampered with the message."
"This report provides a detailed, current look at the nature of advanced threats targeting organizations today. Drawing on data gathered by FireEye® from several thousands of appliances at customer sites around the world, across 89 million events, this report provides an overview of the current threat landscape, evolving advanced persistent threat (APT) tactics, and the level of infiltration seen in organizations' networks today. Key findings include:
Report of the Select Committee on Intelligence to United States Senate covering the period January 5, 2011 - January 3, 2013, 113th Congress, 1st Session, Senate Report 113-7.
"The internet around the world has been slowed down in what security experts are describing as the biggest cyber-attack of its kind in history. A row between a spam-fighting group and hosting firm has sparked retaliation attacks affecting the wider internet. It is having an impact on popular services like Netflix - and experts worry it could escalate to affect banking and email systems. Five national cyber-police-forces are investigating the attacks. Spamhaus, a group based in both London and Geneva, is a non-profit organisation which aims to help email providers filter out spam and other unwanted content. To do this, the group maintains a number of blocklists - a database of servers known to be being used for malicious purposes. Recently, Spamhaus blocked servers maintained by Cyberbunker, a Dutch web host which states it will host anything with the exception of child pornography or terrorism-related material."
Via Space.com: "NASA has taken its huge database of technical reports offline in response to the arrest last weekend of a former contractor suspected of spying for China. The space agency decided to shut down the NASA Technical Reports Server (NTRS) as part of a broad security review spurred by the arrest of Bo Jiang, who was grabbed by FBI agents Saturday (March 16) on a China-bound plane at Dulles International Airport outside Washington, D.C. "I’ve closed down the NASA Technical Reports database while we review whether there’s a risk," NASA chief Charles Bolden told the House Appropriations Committee Wednesday (March 20) during a hearing set up to probe possible security lapses at space agency centers."
Statement for the Record - Worldwide Threat Assessment of the US Intelligence Community, Senate Select Committee on Intelligence. James R. Clapper, Director of National Intelligence, March 12, 2013
"The Tallinn Manual on the International Law Applicable to Cyber Warfare, written at the invitation of the Centre by an independent ‘International Group of Experts’, is the result of a three-year effort to examine how extant international law norms apply to this ‘new’ form of warfare. The Tallinn Manual pays particular attention to the jus ad bellum, the international law governing the resort to force by States as an instrument of their national policy, and the jus in bello, the international law regulating the conduct of armed conflict (also labelled the law of war, the law of armed conflict, or international humanitarian law). Related bodies of international law, such as the law of State responsibility and the law of the sea, are dealt within the context of these topics. The Tallinn Manual is not an official document, but instead an expression of opinions of a group of independent experts acting solely in their personal capacity. It does not represent the views of the Centre, our Sponsoring Nations, or NATO. It is also not meant to reflect NATO doctrine. Nor does it reflect the position of any organization or State represented by observers."
Videos and articles for hacked site recovery - Posted by Maile Ohye, Developer Programs Tech Lead: "We created a new Help for hacked sites informational series to help all levels of site owners understand how they can recover their hacked site. The series includes over a dozen articles and 80+ minutes of informational videos - from the basics of what it means for a site to be hacked to diagnosing specific malware infection types."
CRS - The 2013 Cybersecurity Executive Order: Overview and Considerations for Congress, March 1, 2013
Identity Theft Tops List for 13th Consecutive Year in Report of National Consumer Complaints
News release: "The Mandiant® Intelligence Center™ released a detailed report exposing a multi-year espionage campaign by one of the largest “Advanced Persistent Threat” (APT) groups. The report, APT1: Exposing One of China’s Cyber Espionage Units, provides evidence linking one group, designated by Mandiant as APT1, to China’s 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department (Military Unit Cover Designator 61398) and details how it has systematically stolen confidential data from at least 141 organizations across multiple industries."
Security Engineering by Ross Anderson — The Book: "All chapters from the second edition now available free online."
News release: "More than one in four (28 percent) of respondents surveyed report their organizations were the victims of at least one cyberattack in the past year; nine percent report multiple breaches and an alarming 17 percent were not confident that their organizations could even detect an attack, according to a Deloitte Tech Trends poll of 1,749 business professionals...Based on the Feb. 7 Deloitte Dbriefs webcast “If You Build It, They Will Come – And Try to Hack It,” the results of the poll underscore the increasing importance of cyber intelligence highlighted in the No Such Thing as Hacker-proof chapter in Deloitte’s 4th Annual Tech Trends Report, Elements of postdigital."
Executive Order - Improving Critical Infrastructure Cybersecurity, February 12, 2013.
Description of Civil Liberties and Privacy Protections in the updated NCTC Guidelines, January 2013, Office of the Director of National Intelligence.
EFF: "Representative Zoe Lofgren has posted on Reddit a modified draft of Aaron's Law, a proposal to update the Computer Fraud and Abuse Act and wire fraud law in honor of our friend Aaron Swartz and to make sure that the misguided prosecution that happened to him doesn't happen to anyone else. We're very pleased with the proposal's progress and we're hopeful about the future of this important bill."
Federal Communications Commission Needs to Strengthen Controls over Enhanced Secured Network Project, GAO-13-155, Jan 25, 2013
News release: "When writing or speaking, good grammar helps people make themselves be understood. But when used to concoct a long computer password, grammar — good or bad — provides crucial hints that can help someone crack that password, researchers at Carnegie Mellon University have demonstrated. A team led by Ashwini Rao, a software engineering Ph.D. student in the Institute for Software Research, developed a password-cracking algorithm that took into account grammar and tested it against 1,434 passwords containing 16 or more characters. The grammar-aware cracker surpassed other state-of-the-art password crackers when passwords had grammatical structures, with 10 percent of the dataset cracked exclusively by the team's algorithm. "We should not blindly rely on the number of words or characters in a password as a measure of its security," Rao concluded. She will present the findings on Feb. 20 at the Association for Computing Machinery's Conference on Data and Application Security and Privacy (CODASPY 2013) in San Antonio, Texas. Basing a password on a phrase or short sentence makes it easier for a user to remember, but the grammatical structure dramatically narrows the possible combinations and sequences of words, she noted."
Early warning analysis for social diffusion events - Richard Colbaugh1 and Kristin Glass, Sandia National Laboratories, Albuquerque, NM
CRS - Internet Domain Names: Background and Policy Issues. Lennard G. Kruger, Specialist in Science and Technology Policy. January 3, 2013
Security Whitepaper: Google Apps Messaging and Collaboration Products
Nart Villeneuve (Senior Threat Researcher): "Throughout 2012, we investigated a variety of targeted attacks including several APT campaigns such as LuckyCat and Ixeshe, as well as updates on some long running campaigns such as Lurid/Enfal and Taidoor. There was a lot of great research within the community related to targeted attacks published this year, and I’ve clustered the research I found to be the most interesting into six themes that I think also encapsulate the trends in targeted attacks of 2012."
Aliya Sternstein reporting in NextGov: "The Defense authorization bill approved by Congress last week would require contractors to tell the Pentagon about penetrations of company-owned networks that handle military data. If President Obama signs the legislation into law, it would make permanent part of a Pentagon test program under which participating contractors report computer breaches in exchange for access to some classified cyber threat intelligence. What began as a defense industrial base pilot program in 2011 was opened to all interested military vendors in May. In October, reports surfaced that five of the 17 initial contractors dropped out of part of the program in which the National Security Agency shares classified threat indicators with the participants, apparently because they concluded the requirements for participation were too expensive and time-consuming for any enhanced security benefit. At the time, Lockheed Martin Corp. executives who help run the program noted the growth potential of another segment of the program that allows contractors to voluntarily share information about breaches to their networks without revealing identifying information to fellow contractors and the government. Now they say interest in the whole program is increasing."
Declan McCullagh/CNET: "Newly released files show a secret National Security Agency program is targeting the computerized systems that control utilities to discover security vulnerabilities, which can be used to defend the United States or disrupt the infrastructure of other nations. The NSA's so-called Perfect Citizen program conducts "vulnerability exploration and research" against the computerized controllers that control "large-scale" utilities including power grids and natural gas pipelines, the documents show. The program is scheduled to continue through at least September 2014. The Perfect Citizen files obtained by the Electronic Privacy Information Center and provided to CNET shed more light on how the agency aims to defend -- and attack -- embedded controllers."
Fred Gutierrez: "Almost a year ago we added detection for a low prevalence Trojan found on servers belonging to financial institutions, including banking firms and credit unions. The Trojan also compromised home computer users and computers at security firms. For easier identification and tracking we recently renamed this threat to Trojan.Stabuniq. Approximately half of unique IP addresses found with Trojan.Stabuniq belong to home users. Another 11 percent belong to companies that deal with Internet security (due, perhaps, to these companies performing analysis of the threat). A staggering 39 percent, however, belong to financial institutions. These financial institutions had their outer perimeter breached as the Trojan has been found on mail servers, firewalls, proxy servers, and gateways."
Via EPIC: "NASA has announced that the theft of an unencrypted laptop has compromised the personal information of a "large number" of NASA employees and contractors. A similar theft earlier this year exposed the data of thousands of Kennedy Space Center employees. The federal agency said that by the end of the year all NASA laptops must have full-disk encryption. The recent developments follow a 2010 United States Supreme Court case, NASA v. Nelson, in which a federal contractor challenged NASA's overly broad collection of personal information. EPIC filed an amicus curiae brief in support of the contractor Robert Nelson, arguing that there were insufficient legal protections and that NASA's systems are vulnerable to data breaches. Robert Nelson is among the employees and contractors who this week received a notice from NASA about the data breach. For more information, see EPIC: NASA v. Nelson and EPIC: Privacy Act."
CRS - Federal Laws Relating to Cybersecurity: Discussion of Proposed Revisions. Eric A. Fischer, Senior Specialist in Science and Technology, November 9, 2012
"Browsers can be regarded as a kind of autonomous zone inside the operating systems of modern computers. A browser is a window to the online world, installed on each and every computer, powered with the ability to install and run additional apps on its territory. Of course, it grants access to a plethora of web-based apps: from online office editors to games. At the same time the majority of online threats come from the web as well. Vulnerabilities in web browsers and other popular programs are used by cybercriminals to infect systems and steal user data: quite often an infected web page triggers the attack. That is why keeping your chosen browser up-to-date is one of the most important tasks, since new versions plug security holes and provide new security features...Slightly less than 80% of Kaspersky Lab’s users have the latest version of a browser. It is important that our data is based on real usage statistics, and there is a chance that quite a lot of users, for example, use up-to-date Google Chrome, but have an outdated Internet Explorer installed, thus keeping a security hole open for attacks. At the same time, the number of users utilizing older or critically outdated browsers is very high. A 23% share for older browsers and 8.5% for obsolete versions represents millions of users. Such reluctance to upgrade is a key addition to the negative outlook on web-born threats.."
Monitoring Hacker Forums ADC Monthly Web Attacks Analysis, October 2012: "Imperva analyzed one of the largest-known hacker forums with roughly 250,000 members, as well as other smaller forums. Using search capabilities, we analyzed conversations by topic using specific keywords. We found:
"As part of nCircle's commitment to improving Internet security, we asked some of the brightest minds in security to help us compile a list of security tips and tricks for a wide range of readers. The resulting eBook includes a wide range of topics — from passwords and public Wi-Fi to Java configuration and sandboxing — and includes tips from security experts like Richard Stiennon, Adam Shostack, John Banghart, Brandon Williams and many others. The eBook is formatted to make it easy to share on social media platforms like Twitter and Facebook. Help us make the Internet a safer place. Download the eBook and chime in with a security tip of your own. Get the free eBook by downloading either the eBook version or the PDF version."
MiPAL: Cybersecurity - Compiled by the National Defense University Library [MERLN - the Military Education Research Library Network - is a comprehensive website devoted to international military education outreach. It represents a consortium of military education research libraries that work together to provide access to a variety of unique electronic resources for the use of researchers and scholars.] Via Ian Burke.
Mobile Device Location Data - Additional Federal Actions Could Help Protect Consumer Privacy, GAO-12-903, Sep 11, 2012
[Note - this is a fee based service] "Norton by Symantec today released Norton Hotspot Privacy, a new service that helps protect consumers using public Wi-Fi connections. Available in the U.S. and U.K. for Mac and PC, Norton Hotspot Privacy automatically creates a private connection - or virtual private network - allowing users to control what they share online, no matter where they connect to the Internet. Two-thirds of online adults use free or unsecured Wi-Fi networks, from coffee shops to airports and public parks. But along with the convenience come risks of exposing sensitive information to cybercriminals. Norton Hotspot Privacy enables users to become 'invisible' on the network and also encrypts their username, password and other confidential information they may be entering online. Consumers can sign into the Norton Hotspot Privacy Web portal, download the client and the VPN will automatically configure to create a private connection."
FY 2012 Office of Inspector General FISMA Audit of GSA’s Information Technology Security Program, Report Number A120125/O/F/F12005
September 28, 2012. "We identified the following during our audit:
News release: "The Federal Trade Commission has launched a major international crackdown on tech support scams in which telemarketers masquerade as major computer companies, con consumers into believing that their computers are riddled with viruses, spyware and other malware, and then charge hundreds of dollars to remotely access and “fix” the consumers’ computers. At the request of the FTC, a U.S. District Court Judge has ordered a halt to six alleged tech support scams pending further hearings, and has frozen their assets."
"This report – Green Carbon, Black Trade – by UNEP and INTERPOL focuses on illegal logging and its impacts on the lives and livelihoods of often some of the poorest people in the world set aside the environmental damage. It underlines how criminals are combining old fashioned methods such as bribes with high tech methods such as computer hacking of government web sites to obtain transportation and other permits. The report spotlights the increasingly sophisticated tactics being deployed to launder illegal logs through a web of palm oil plantations, road networks and saw mills."
Trend Micro Incorporated Opinion Piece, September 2012 - Peter the Great Versus Sun Tzu
News release: "From NATO Cooperative Cyber Defense Center of Excellence: The Tallinn Manual on the International Law Applicable to Cyber Warfare, written at the invitation of the Centre by an independent ‘International Group of Experts’, is the result of a three-year effort to examine how extant international law norms apply to this ‘new’ form of warfare. The Tallinn Manual pays particular attention to the jus ad bellum, the international law governing the resort to force by States as an instrument of their national policy, and the jus in bello, the international law regulating the conduct of armed conflict (also labelled the law of war, the law of armed conflict, or international humanitarian law). Related bodies of international law, such as the law of State responsibility and the law of the sea, are dealt within the context of these topics."
Sliter, John R., 'Techno-Risk - the Perils of Learning and Sharing Everything' from a Criminal Information Sharing Perspective (September 9, 2012). 30th Symposium on Economic Crime in Cambridge, England on September 5th, 2012. Available at SSRN.
Measuring the Cost of Cybercrime. Ross Anderson, Chris Barton, Rainer Bohme, Richard Clayton, Michel J.G. van Eeten Michael Levi, Tyler Moore, Stefan Savage
News release: "EFF's Keeping Your Site Alive guide includes tips on choosing an appropriate webhost to provide the security and technical assistance needed to weather an attack. The guide also gives advice on how to back up and mirror content so it can be made available elsewhere in case the site is compromised, and includes tutorial videos with background information on the technical concepts involved. Denial of service attacks are an issue for websites across the globe, so EFF's guide is available in many different translations, including Chinese, Russian, Persian, and Arabic."
Pipeline Cybersecurity: Federal Policy, by Paul W. Parfomak, Specialist in Energy and Infrastructure Policy, August 16, 2012
Cyber Security Task Force: Public-Private Information Sharing. This report is the product of the Bipartisan Policy Center’s Homeland Security Project, July 2012
Broadband Internet Technical Advisory Group, Technical work Group Report, August 2012
Via CDT: "The chart below compares on civil liberties grounds three bills that seek to promote cybersecurity and it updates a similar chart we issued on April 4, 2012 based on prior versions of all three bills. The Senate is set to consider the Cybersecurity Act, S. 3414 (“Lieberman-Collins” bill), introduced on July 19. The chart shows that the Lieberman bill better protects privacy than do either of the competing bills, and that it should be further improved by dropping monitoring and countermeasures language. The leading alternative Senate bill, SECURE IT, S. 3342, was re-introduced by Senator McCain and other co-sponsors on June 27 (“SECURE IT”). Despite a White House veto threat, the House passed the Cyber Intelligence Sharing and Protection Act, H.R. 3523 (“CISPA”) on April 26 on a vote of 248-168. It will be reconciled with cybersecurity legislation that the Senate passes. (Lieberman-Collins and SECURE IT include cybersecurity measures unrelated to information sharing that are not reflected in this chart.)
WSJ: "How big is the iCrime wave? National data aren't available, but in New York, there were more than 26,000 incidents of electronics theft in the first 10 months of 2011—81% involving mobile phones—according to an internal police-department document. In Washington, D.C., cellphone-related robberies jumped 54% from 2007 to 2011, according to the Metropolitan Police Department. And the data may drastically undercount thefts. Since many don't involve violence, many victims don't bother reporting them."
Federal Laws Relating to Cybersecurity: Discussion of Proposed Revisions. Eric A. Fischer, Senior Specialist in Science and Technology, June 29, 2012
Via the 11th Annual Workshop on the Economics of Information Security - Measuring the Cost of Cybercrime - Ross Anderson, Chris Barton, Rainer Rainer Bohme, Richard Clayton, Michel J.G. van Eeten, Michael Levi, Tyler Moore, Stefan Savage
Via public intelligence: "The following design document was produced by Allure Security and sponsored by the Defense Advanced Research Projects Agency (DARPA). It describes a system for preventing leaks by seeding believable disinformation in military information systems to help identify individuals attempting to access and disseminate classified information. For more information on the document, see Wired’s article on the subject: Feds Look to Fight Leaks With ‘Fog of Disinformation’.
"The Department of Homeland Security (DHS) Control Systems Security Program manages and operates the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to provide focused operational capabilities for defense of control system environments against emerging cyber threats...This report provides a summary of cyber incidents, onsite deployments, and associated findings from the time ICS-CERT was established in 2009 through the end of 2011..The most common infection vector for network intrusion was spear-phishing emails with malicious links or attachments. Spear-phishing accounted for 7 out of 17 incidents. At least one incident involved an infection from a removable USB device."
"The Federal Trade Commission, the nation's consumer protection agency, offers updated information explaining how to protect your child's information and your own, and the immediate steps to take to limit the damage identity theft can cause. Taking Charge: What To Do If Your Identity Is Stolen is a step-by-step guide that includes sample letters, forms and essential contact information. A brochure, Identity Theft: What To Know, What To Do, explains the basic steps of protecting information and responding to identity theft. Safeguarding Your Child's Future tells parents how to protect their children's information, find out if a credit report has been created for them, and respond to problems."
News release: "Check Point® Software Technologies Ltd...announced the results of a new ZoneAlarm report revealing differences in the use of computer security between Gen Y and Baby Boomers. The report, The Generation Gap in Computer Security, found that Gen Y is more confident in its security knowledge than Baby Boomers. However, 50 percent of Gen Y respondents have had security issues in the past two years compared to less-than-half of Baby Boomers. The broad adoption of digital media and social networking, combined with the increasing amount of sensitive data that is stored online, is making personal computer security more important than ever before. Yet the ZoneAlarm study reveals that 78 percent of Gen Y respondents do not follow security best practices while cybercriminals are launching new and more sophisticated attacks on consumers every day. In comparison, Baby Boomers are more concerned about security and privacy and twice more likely to protect their computers with additional security software."
Google Online Security Blog: "Approximately 12-14 million Google Search queries per day show our warning to caution users from going to sites that are currently compromised. Once a site has been cleaned up, the warning is lifted."
[May 10, 2012] - The Internet Crime Complaint Center (IC3) released the 2011 Internet Crime Report — an overview of the latest data and trends of online criminal activity. According to the report, 2011 marked the third year in a row that the IC3 received more than 300,000 complaints. The 314,246 complaints represent a 3.4 percent increase over 2010. The reported dollar loss was $485.3 million. As more Internet crimes are reported, IC3 can better assist law enforcement in the apprehension and prosecution of those responsible for perpetrating Internet crime."
Follow up to June 6, 2012 posting, LinkedIn Member Passwords Compromised, this update via the LinkedIn Blog: An Update On Taking Steps To Protect Our Members, June 9, 2012: "...In this post, we want to address questions we’ve been receiving and share what we’ve learned so far about the incident, how we’ve responded, and what we’re doing to protect our members going forward. First, it’s important to know that compromised passwords were not published with corresponding email logins. At the time they were initially published, the vast majority of those passwords remained hashed, i.e. encoded, but unfortunately a subset of the passwords was decoded. Again, we are not aware of any member information being published at any time in connection with the list of stolen passwords. The only information published was the passwords themselves."
Vicente Silveira, June 6, 2012: "We want to provide you with an update on this morning’s reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts:
Industry Botnet Group Principles for Voluntary Efforts to Reduce the Impact of Botnets in Cyberspace
A Global Reality: Governmental Access to Data in the Cloud - A comparative analysis of ten international jurisdictions Governmental access to data stored in the Cloud – including cross-border access – exists in every jurisdiction, by Winston Maxwell, Paris, France Christopher Wolf, Washington, DC; May 23, 2012. A Hogan Lovells White Paper.
OFA Report - The Cloud Computing Workshop - "The cloud will happen; the question is whether it will happen to us, with us, or by us": "This report is prepared by the rapporteur, Dr. E. Altsitsiadis, for Open Forum Academy (OFA) in support of the Cloud Computing Workshop. The summaries of the speaker presentations and panel discussions in this report are based on the rapporteur’s notes. The workshop brought together high-level experts to discuss three broad aspects of cloud computing; the economic impact, the legal aspects and the way to move forward. The economic opportunity is irrefutable - If you live in a multi-device world, you simply need the cloud. The cloud will have a significant impact on our entire economy; from the micro level and the numerous benefits it brings to supply and demand alike, to the positive macro-effects in new job creation and GDP contribution. There are serious obstacles though in claiming these benefits, from practical operational limitations to misconceptions, distrust and a legal framework that is largely fragmented and complicated. The speakers broadened our understanding of these weak points, downplaying some issues that are overly considered important, while pointing out others that are crucial, yet evade our attention. The workshop illustrated that there are a lot of misconceptions but also a lot of common ground and it is becoming apparent that the way forward passes through better communication and collaboration, whether at the level of EU-US governments, Industry-Policymakers or Providers-Users."
"The Cabinet Office and London School of Economics (LSE) have published research into the Total Cost of Ownership of Open Source Software, by Maha Shaikh and Tony Cornford, Version 8.5 Final, November 2011, Unclassified. The report has beejointly financed by the Cabinet Office and OpenForum Academy, together with some of its supporters, including Alfresco, Deloitte, IBM and Red Hat."
News release: "The Federal Trade Commission testified before Congress about the agency’s efforts to protect consumer privacy, including the FTC’s support for implementation of a “Do Not Track” mechanism that would allow consumers to control the tracking of their online activities across websites, and other approaches recommended in its recent privacy report. In delivering Commission testimony before the Senate Committee on Commerce, Science and Transportation, FTC Chairman Jon Leibowitz said the current time is a “critical juncture” for consumer privacy, and described the FTC’s recent privacy report, including its call for final implementation of a Do Not Track mechanism. The testimony notes that the Commission recommends Congress consider enacting general privacy legislation, and that it enact data security and breach notification legislation and targeted legislation to address data brokers."
NSA Fact Sheet, April 2012: Mobile phone platforms are susceptible to malicious attacks, both from the network and upon physical compromise. Understanding the vectors of such attacks, level of expertise required to carry them out, available mitigations, and impact of compromise provides a background for certain risk decisions. In general, comparing risks introduced by the new generation of mobile devices to those of traditional, widely-deployed desktop systems provides insight into how the risks to DoD networks are changing. Due to the larger cultural and technological shift to mobile devices, this may be more relevant than comparison of different smartphone brands."
Cybersecurity: Authoritative Reports and - Resources, Rita Tehan
Information Research Specialist, April 26, 2012
News release: "The Information Commissioner’s Office (ICO) is urging consumers to take better care of their data, following an investigation into the trade in used hard drives. The ICO has published new guidance to help individuals securely delete personal information from their old devices. An investigation by the ICO found that one in ten second-hand hard drives sold online may contain residual personal information. An ICO survey also found that 65% of British adults now hand on their old phones, computers and laptops to another user, with 44% giving it away to somebody else for free and around one in five (21%) selling it to somebody else. In December 2010, the ICO asked a computer forensics company – NCC Group – to source around 200 hard drives, 20 memory sticks and 10 mobile phones. The devices were mainly bought online from internet auction sites and some were sourced at computer trade fairs. The devices were then searched, initially without any additional software, and then interrogated using forensic tools freely available on the internet. The research found that, while 52% of the hard drives investigated were unreadable or had been wiped of data, 48% contained information and 11% was personal data. The amount of personal data found on the mobile phones and memory sticks was negligible. In total 34,000 files containing personal or corporate information were recovered from the devices. At least two of the hard drives contained enough information to enable someone to steal the former owner’s identity. The residual documents included scanned bank statements, passports, information on previous driving offences, and some medical details. A further four hard drives contained information about the employees and clients of four organisations, including individuals’ health and financial details."
"The Consumer Federation of America (CFA) released Best Practices for Identity Theft Services: How Are Services Measuring Up?, which analyzes how well identity theft services are providing key information to prospective customers. The study is based on CFA’s Best Practices for Identity Theft Services, voluntary guidelines that CFA developed with the help of identity theft service providers and consumer advocates. Released last year, the best practices resulted from CFA’s first study of identity theft services in 2009, which raised concerns about misleading claims about the ability to protect consumers from identity theft, lack of clear information, and other troublesome practices."
Cyberthings for Managers - overview of significant cyber warfare events from the news: "Cyberthings for Managers is created by Reuser’s Information Services to meet a growing demand by managers in the domain of cyber warfare for a quick overview of the most important events of the past weeks in the field, without being overwhelmed by technical details, individual incidents, or repetitions of earlier news. Cyberthings will list a summary of significant events in the world of Cyberwarfare from Governmental level down. There will be no listings of technical hacks, detailed descriptions of cyberweapons, repetitions of detailed cybercrime events, only the more strategic events will be covered." [via Marcia E. Zorn]
New York Times: The Cybercrime Wave That Wasn’t, by Dinei Florêncio, researcher and Cormac Herley, principal researcher at Microsoft Research
Security of power grids: a European perspective, Corrado Leita, Marc Dacier, Symantec Research Labs. April 2012
Social Networking Risks Outlined in Latest Counterintelligence Brochure, March 2012
CRS - Cybersecurity: Selected Legal Issues, March 14, 2012
Senate Armed Services Committee (SASC) hearing, March 27, 2012: testimony of General Keith B. Alexander, USA Commander, U.S. Cyber Command and Director, National Security Agency/Chief, Central Security Service
News release: "The Federal Trade Commission, the nation's chief privacy policy and enforcement agency, issued a final report setting forth best practices for businesses to protect the privacy of American consumers and give them greater control over the collection and use of their personal data. In the report, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers, the FTC also recommends that Congress consider enacting general privacy legislation, data security and breach notification legislation, and data broker legislation."
The Risk of Insider Fraud U.S. Study of IT and Business Practitioners
News release: "The Federal Financial Institutions Examination Council (FFIEC) issued a Supplement to the Authentication in an Internet Banking Environment guidance, issued in October 2005. The purpose of the supplement is to reinforce the risk-management framework described in the original guidance and update the FFIEC member agencies' supervisory expectations regarding customer authentication, layered security, and other controls in the increasingly hostile online environment...The supplement stresses the need for performing risk assessments, implementing effective strategies for mitigating identified risks, and raising customer awareness of potential risks, but does not endorse any specific technology for doing so. The FFIEC member agencies will continue to work closely with financial institutions to promote security in electronic banking and have directed examiners to formally assess financial institutions under the enhanced expectations outlined in the supplement beginning in January 2012."
Computerworld: "A group of U.S. Internet service providers, including the four largest, have committed to taking new steps to combat three major cybersecurity threats, based on recommendations from a U.S. Federal Communications Commission advisory committee. The ISPs, including AT&T, Comcast, Time Warner Cable and Verizon Communications, committed Thursday to implement measures to fight botnets, domain name fraud and Internet route hijacking. The FCC's Communications, Security, Reliability, and Interoperability Council (CSRIC) adopted the recommendations for voluntary action by ISPs the same day. Eight wired and wireless ISPs, representing about 80% of the broadband subscribers in the U.S., are members of CSRIC and signed on to the recommendations."
Active Authentication: "The current standard method for validating a user’s identity for authentication on an information system requires humans to do something that is inherently unnatural: create, remember, and manage long, complex passwords. Moreover, as long as the session remains active, typical systems incorporate no mechanisms to verify that the user originally authenticated is the user still in control of the keyboard. Thus unauthorized individuals may improperly obtain extended access to information system resources if a password is compromised or if a user does not exercise adequate vigilance after initially authenticating at the console. The Active Authentication program seeks to address this problem by developing novel ways of validating the identity of the person at the console that focus on the unique aspects of the individual through the use of software based biometrics. Biometrics are defined as the characteristics used to uniquely recognize humans based on one or more intrinsic physical or behavioral traits. This program focuses on the behavioral traits that can be observed through how we interact with the world. Just as when you touch something your finger you leave behind a fingerprint, when you interact with technology you do so in a pattern based on how your mind processes information, leaving behind a “cognitive fingerprint.”
News release: "The Securities and Exchange Commission today announced a rule proposal to help protect investors from identity theft by ensuring that broker-dealers, mutual funds, and other SEC-regulated entities create programs to detect and respond appropriately to red flags. The SEC issued the proposal jointly with the Commodity Futures Trading Commission (CFTC). Section 1088 of the Dodd-Frank Act transferred authority over certain parts of the Fair Credit Reporting Act from the Federal Trade Commission (FTC) to the SEC and CFTC for entities they regulate. The proposed rules are substantially similar to rules adopted in 2007 by the FTC and other federal financial regulatory agencies that were previously required to adopt such rules."
FBI Fact Sheet on Internet Fraud: Includes information on: Avoiding Internet Auction Fraud, Avoiding Non-Delivery of Merchandise, Avoiding Credit Card Fraud, Avoiding Investment Fraud, Avoiding Business Fraud, Avoiding the Nigerian Letter or “419” Fraud, Common Fraud Scams, Investment-Related Scams, Internet Scams, and Fraud Target: Senior Citizens.
News release: "The Federal Trade Commission issued a staff report, Using FACTA Remedies: An FTC Staff Report on a Survey of Experience of Identity Theft Victims, summarizing the results of a survey of identity theft victims who were asked to describe their experiences dealing with consumer reporting agencies and, more generally, exercising their rights under the Fair Credit Reporting Act (FCRA) as amended by the Fair and Accurate Credit Transactions Act (FACTA), to recover from identity theft. The survey showed that most of the respondents were generally satisfied with their experiences, but the report also noted areas for improvement. Congress has established several rights under the FACTA to help actual or potential identity theft victims protect themselves from, and recover from, identity theft. These rights enable victims to place fraud alerts on their credit report with the consumer reporting agencies, request a free credit report from the three national consumer reporting agencies when placing a fraud alert, block fraudulent information from appearing in their credit report, and receive a notice of these and other rights from the consumer reporting agencies."
The Department of Energy's Implementation of Homeland Security Presidential Directive 12; DOE/IG-0860 February 2012
NASA Cybersecurity: An Examination of the Agency’s Information Security - Testimony before the Subcommittee on Investigations and Oversight, House Committee on Science, Space, and Technology, February 29, 2012 - Statement of Paul K. Martin, NASA Inspector General: "My testimony today highlights five issues that we believe, based on our extensive audit and investigative work, constitute NASA’s most serious challenges in the admittedly difficult task of protecting the Agency’s information and systems from inadvertent loss or malicious theft. These challenges are:
News release: "The Electronic Frontier Foundation (EFF) launched the 2.0 version of HTTPS Everywhere for the Firefox browser today, including an important new update that warns users about web security holes. The "Decentralized SSL Observatory" is an optional feature that detects encryption weaknesses and notifies users when they are visiting a website with a security vulnerability – flagging potential risk for sites that are vulnerable to eavesdropping or "man in the middle" attacks."
NATO’s Cyber Capabilities: Yesterday, Today, and Tomorrow, Jason Healey and Leendert van Bochoven. "This issue brief is part of the Atlantic Council’s Smarter Alliance Initiative in partnership with IBM. The Atlantic Council and IBM established the Smarter Alliance Initiative in response to the NATO Secretary General’s call for NATO members to adopt a “smart defense” approach to leveraging scarce defense resources to develop and sustain capabilities necessary to meet current and future security challenges in an age of austerity."
Computerworld - "An online encryption method widely used to protect banking, email, e-commerce and other sensitive Internet transactions is not as secure as assumed, according to a report issued by a team of U.S and European cryptanalysts. The researchers reviewed millions of public keys used by websites to encrypt online transactions and found a small but significant number to be vulnerable to compromise. In most cases, the problem had to do with the manner in which the keys were generated, according to the researchers. The numbers associated with the keys were not always as random as needed, the research showed. Therefore, the team concluded, attackers could use public keys to guess the corresponding private keys that are used to decrypt data -- a scenario that was previously believed to be impossible."
NYT: "A team of European and American mathematicians and cryptographers have discovered an unexpected weakness in the encryption system widely used worldwide for online shopping, banking, e-mail and other Internet services intended to remain private and secure. The flaw — which involves a small but measurable number of cases — has to do with the way the system generates random numbers, which are used to make it practically impossible for an attacker to unscramble digital messages. While it can affect the transactions of individual Internet users, there is nothing an individual can do about it. The operators of large Web sites will need to make changes to ensure the security of their systems, the researchers said."
"ENISA [European Network and Information Security Agency] has published the first EU report ever on cyber security challenges in the Maritime Sector. This principal analysis highlights essential key insights, as well as existing initiatives, as a baseline for cyber security. The high-level recommendations are given for addressing these risks, Cyber threats are a growing menace, spreading to all industry sectors that relying on ICT systems. Recent deliberate disruptions of critical automation systems, such as Stuxnet, prove that cyber-attacks have a significant impact on critical infrastructures. Disruption of these ICT capabilities may have disastrous consequences for the EU Member States’ governments and social well being. The need to ensure ICT robustness against cyber-attacks is thus a key challenge at national and pan-European level."
Report: "DNS (Domain Name System) is an Internet service that converts user-friendly domain names into the numerical Internet protocol (IP) addresses that computers use to talk to each other. When you enter a domain name, such as www.fbi.gov, in your web browser address bar, your computer contacts DNS servers to determine the IP address for the website. Your computer then uses this IP address to locate and connect to the website. DNS servers are operated by your Internet service provider (ISP) and are included in your computer’s network configuration. DNS and DNS Servers are a critical component of your computer’s operating environment—without them, you would not be able to access websites, send e-mail, or use any other Internet services. Criminals have learned that if they can control a user’s DNS servers, they can control what sites the user connects to on the Internet. By controlling DNS, a criminal can get an unsuspecting user to connect to a fraudulent website or to interfere with that user’s online web browsing. One way criminals do this is by infecting computers with a class of malicious software (malware) called DNSChanger. In this scenario, the criminal uses the malware to change the user’s DNS server settings to replace the ISP’s good DNS servers with bad DNS servers operated by the criminal. A bad DNS server operated by a criminal is referred to as a rogue DNS server."
"DMARC, which stands for "Domain-based Message Authentication, Reporting & Conformance", is a technical specification created by a group of organizations that want to help reduce the potential for email-based abuse by solving a couple of long-standing operational, deployment, and reporting issues related to email authentication protocols. DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms. This means that senders will experience consistent authentication results for their messages at AOL, Gmail, Hotmail, Yahoo! and any other email receiver implementing DMARC. We hope this will encourage senders to more broadly authenticate their outbound email which can make email a more reliable way to communicate."
Serious Economic Crime - A boardroom guide to prevention and compliance, January 2012 [312 pages, UK government]
"The NICE Cybersecurity Workforce Framework offers a working taxonomy and common lexicon that can be overlaid onto any organization's existing occupational structure. Although much work has gone into this framework, we need to ensure that it can be adopted and used across the nation. We are actively seeking to refine this framework with input from every sector of our nation's cybersecurity stakeholders. You are an integral part of this process. NICE requests that you please contribute your expertise in the field of cybersecurity by reviewing the NICE Cybersecurity Workforce Framework document and providing your public comments using the comments template."
"Google’s Good to Know campaign aims to help people stay safe on the Internet and manage the information they share online. The website and ads provide easy to use tips and advice on online security, help on understanding the data users share and tools they can use to manage their data. Written in clear language and featuring practical examples to illustrate complex security and privacy issues, the website and advertising campaign aim to empower users to tackle their online security concerns and make more informed decisions about their internet use. The U.S. campaign includes adverts in newspapers, on public transport and online. Download all print ads – (PDF)."
January 15, 2012 - "Subject: Information on the Zappos.com site - please create a new password. First, the bad news: We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password). THE BETTER NEWS: The database that stores your critical credit card and other payment data was NOT affected or accessed. SECURITY PRECAUTIONS: For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password. We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information. PLEASE CREATE A NEW PASSWORD: We have expired and reset your password so you can create a new password. Please create a new password by visiting Zappos.com and clicking on the "Create a New Password" link in the upper right corner of the web site and follow the steps from there. We sincerely apologize for any inconvenience this may cause. If you have any additional questions about this process, please email us at passwordchange@zappos.com"
Follow up to previous posting on ALA - PIPA, SOPA and the OPEN Act Quick Reference Guide, via the White House, Combating Online Piracy while Protecting an Open and Innovative Internet
"EPIC filed the opening brief in EPIC v. NSA, No. 11-5233, challenging the National Security Agency’s response to EPIC's Freedom of Information Act request. EPIC is seeking information about the widely publicized cybersecurity agreement between the NSA and Google that followed the January 2010 China hack. The NSA claimed it "could neither confirm nor deny" the existence of any information about its relations with Google. After the attack, Google's implemented encryption technology for Gmail by default, a privacy safeguard EPIC and technical experts had urged in 2009. For more information, see EPIC v. NSA: Google / NSA Relationship."
News release: "The Federal Trade Commission today sent a letter to the Internet Corporation for Assigned Names and Numbers (ICANN), the organization that oversees Internet domain names, expressing concern that the organization's plan to dramatically expand the domain name system could leave consumers more vulnerable to online fraud and undermine law enforcers' ability to track down online scammers. In its letter to ICANN, the Commission warned that rapid expansion of the number of generic top-level domain names (gTLDs) – the part of the domain name to the right of the dot, such as ".com," ".net" and ".org" – could create a "dramatically increased opportunity for consumer fraud," and make it easier for scam artists to manipulate the system to avoid being detected by law enforcement authorities. The Commission urged ICANN – before approving any new gTLD applications – to take additional steps to protect consumers, including starting with a pilot program to work out potential problems."
"The Blueprint for a Secure Cyber Future builds on the Department of Homeland Security Quadrennial Homeland Security Review Report’s strategic framework by providing a clear path to create a safe, secure, and resilient cyber environment for the homeland security enterprise. With this guide, stakeholders at all levels of government, the private sector, and our international partners can work together to develop the cybersecurity capabilities that are key to our economy, national security, and public health and safety. The Blueprint describes two areas of action: Protecting our Critical Information Infrastructure Today and Building a Stronger Cyber Ecosystem for Tomorrow. The Blueprint is designed to protect our most vital systems and assets and, over time, drive fundamental change in the way people and devices work together to secure cyberspace. The integration of privacy and civil liberties protections into the Department’s cybersecurity activities is fundamental to safeguarding and securing cyberspace."
"Accuvant LABS has just released some new research that compares the security of three of the most widely used web browsers – Mozilla Firefox, Google Chrome, and Microsoft Internet Explorer. Google commissioned Accuvant to perform this comprehensive and independently designed security analysis to help advance the discussion of best practices in the security community. Our research findings are extremely thorough and complete, so we decided to create this blog to summarize the results. Malware, spyware and viruses are all too familiar to those who regularly surf the web. These malicious programs can lead to system pop-ups, slowdowns, account takeovers, credit card theft, identity theft, and the theft of personally identifiable information. While antivirus and anti-malware can help prevent an infection, the first line of defense is using a secure web browser. For a person that surfs the internet, comparing and contrasting the security of different web browsers is difficult. Marketing materials are available to the average user, but they often contain direct contradictions and the reader ends up wondering which web browser is the most secure. Our research aims to fix that problem. We compared browsers from a layered perspective, taking into account security architecture and anti-exploitation techniques. Like antivirus or anti-malware software, each provides an additional layer of defense. The nice thing is, when anti-exploitation technology prevents an attack, anti-malware and antivirus aren't needed. The idea is that it’s a lot easier to keep a fortress with a moat safe than it is to protect a beach shack."
The UK Cyber Security Strategy - Protecting and promoting the UK in a digital world, November 2011
Mapping the Mal Web - The world’s riskiest domains, by Barbara Kay, CISSP, Secure by Design Group and Paula Greve, Director of Research, McAfee Labs
News release: "The FCC is launching the Small Biz Cyber Planner, an online resource to help small businesses create customized cybersecurity plans. This is the result of an unprecedented public-private partnership between government experts and private IT and security companies, including DHS, NCSA, NIST, The U.S. Chamber of Commerce, The Chertoff Group, Symantec, Sophos, Visa, Microsoft, HP, McAfee, The Identity Theft Council, ADP and others. The online tool is available at FCC.gov/cyberplanner. By almost any measure small businesses have an outsized impact on our economy and it is critically important that small businesses, a vibrant engine for job and idea creation, are secure using the many broadband enabled tools they need to efficiently run their businesses. According to a survey released in October, 2011 by Symantec and the National Cyber Security Alliance (NCSA), two-thirds of U.S. small businesses rely on broadband Internet for their day-to-day operations...This effort is part of an ongoing program to raise awareness about the cybersecurity risks to small businesses and to help these businesses become cyber-secure. Earlier this year, the FCC and a coalition of public and private-sector partners developed a cybersecurity tip sheet, which includes tips to educate business owners about basic steps they can take immediately to protect their companies. The tip sheet is available at FCC.gov/cyberforsmallbiz".
News release: "McAfee today released the McAfee Threats Report: Third Quarter 2011, which showed that the Android mobile operating system solidified its lead as the primary target for new mobile malware. The amount of malware targeted at Android devices jumped nearly 37 percent since last quarter, and puts 2011 on track to be the busiest in mobile and general malware history. Nearly all new mobile malware in Q3 was targeted at Android."
Evaluation Report - The Federal Energy Regulatory Commission's Unclassified Cyber Security Program - 2011. OAS-M-12-01 November 2011.
"Building, operating and securing the Global Information Grid (GIG) for the Department of Defense is a complex and ongoing challenge. The Deputy Assistant Secretary of Defense (DASD) for Cyber Identity and Information Assurance has developed a strategy for meeting this challenge, which is available here: Build and Operate a Trusted GIG - Identity & Information Assurance Related Policies and Issuances - Developed by the DoD CIO, IIA Deputate. Last Updated: October 18, 2011. In the CIIA Strategy, the primary goal areas are as listed as follows:
"The NICE Cybersecurity Workforce Framework offers a working taxonomy and common lexicon that can be overlaid onto any organization's existing occupational structure. Although much work has gone into this framework, we need to ensure that it can be adopted and used across the nation. We are actively seeking to refine this framework with input from every sector of our nation's cybersecurity stakeholders."
The Socialbot Network: When Bots Socialize for Fame and Money -
Yazan Boshmaf, Ildar Muslukhov, Konstantin Beznosov, Matei Ripeanu -
University of British Columbia Vancouver, Canada
Information Security Continuous Monitoring (ISCM) for Information Systems and Organizations (NIST Special Publication [SP] 800-137)
DOE IG Evaluation Report - The Department's Unclassified Cyber Security Program – 2011, DOE/IG-0856 October 2011
All Your Clouds are Belong to us – Security Analysis of Cloud Management Interfaces - Juraj Somorovsky, Mario Heiderich, Meiko Jensen, Jörg Schwenk, Nils Gruschka, Luigi Lo Iacono. In Proceedings of the ACM Cloud Computing Security Workshop (CCSW), 2011.
This guidance provides the Division of Corporation Finance's views regarding disclosure obligations relating to cybersecurity risks and cyber incidents, October 13, 2011
Executive Order -- Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, October 07, 2011
Danger Room: "A computer virus has infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions over Afghanistan and other warzones. The virus, first detected nearly two weeks ago by the military’s Host-Based Security System, has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech’s computers, network security specialists say. And the infection underscores the ongoing security risks in what has become the U.S. military’s most important weapons system."
2011 Payment Card Industry Compliance Report - A Study Conducted By The Verizon PCI And RISK Intelligence Teams
News release: "Check Point® Software Technologies Ltd. announced the results of a new report revealing 48 percent of enterprises surveyed have been victims of social engineering, experiencing 25 or more attacks in the past two years, costing businesses anywhere from $25,000 to over $100,000 per security incident. The report, The Risk of Social Engineering on Information Security, shows phishing and social networking tools as the most common sources of socially-engineering threats – encouraging businesses to implement a strong combination of technology and user awareness to minimize the frequency and cost of attacks. Socially-engineered attacks traditionally target people with an implied knowledge or access to sensitive information. Hackers today leverage a variety of techniques and social networking applications to gather personal and professional information about an individual in order to find the weakest link in the organization. According to the global survey of over 850 IT and security professionals, 86 percent of businesses recognize social engineering as a growing concern, with the majority of respondents (51%) citing financial gain as the primary motivation of attacks, followed by competitive advantage and revenge."
Identity Theft - Trends, Patterns, and Typologies Based on Suspicious Activity Reports. Filed by the Securities and Futures Industries January 1, 2005 – December 31, 2010. Report released September 2011.
News release: "Stanford University’s Center on Longevity and the FINRA Investor Education Foundation have joined together to launch the Research Center on the Prevention of Financial Fraud, an interdisciplinary resource for law enforcement, government and research groups studying financial fraud. Financial fraud, ranging from Ponzi schemes to online phishing scams and work from home schemes, swindles Americans out of billions of dollars each year. While emerging technologies continue to fuel the expansion and reach of financial fraud, this joint initiative will support and consolidate scientific research and connect this research to practical prevention and detection efforts."
"Symantec Corp. announced the results of the August 2011 Symantec Intelligence Report, now combining the best research and analysis from the Symantec.cloud MessageLabs Intelligence Report and the Symantec State of Spam & Phishing Report. This month’s analysis reveals that once more spammers are seeking to benefit from fluctuations in the turbulent financial markets, most notably by sending large volumes of spam relating to certain “pink sheets” stocks in an attempt to “pump” the value of these stocks before “dumping” them at a profit. In a pump-and-dump stock scam, spammers promote certain stocks in order to inflate the price as much as possible so that they may then be sold before their valuation crashes back to reality. The spam for these scams tries to convince the prospective mark that the penny stock is actually worth more than its valuation, or that it will soon skyrocket. Most of these claims are either misleading or false. A successful pump-and-dump spam campaign will artificially drive up the price of the stock to a point where the scammers decide to sell their shares. This usually coincides with them ending the spam campaign, which in turn reduces the interest in the stock, helping to drive its valuation back to the original low price."
Department of Homeland Security Office of Inspector General, Improvements in Patch and Configuration Management Controls Can Better Protect TSA’s Wireless Network and Devices (Redacted) OIG-11-99 July 2011
Trends in Circumventing Web-Malware Detection. Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig Schmidt. Google Technical Report rajab-2011a, July 2011
Revealed: Operation Shady RAT by Dmitri Alperovitch, Vice President, Threat Research, McAfee: "An investigation of targeted intrusions into more than 70 global companies, governments, and non-profit organizations during the last five years."
Haystack Logo...and how well hidden is YOUR needle?
Data-Enabled Government: How Well Is Our Personal Information Used and Protected? - HP Business White Paper
"Data (in)security is rapidly gaining consumer attention in major media. In 2011 major breaches at Sony, Epsilon and others have highlighted the risk consumers face from their data being compromised. Major corporations are now recognizing the urgency to implement strong and innovative security measures to ensure the security of their customers’ data. At the same time, both Apple and Google have seen stunning growth in the past few years and now dominate the smartphone market. Companies and app developers have leveraged these platforms to provide new mobile services, often bringing them to market very quickly. But what steps have the smartphone OS providers and app developers taken to secure the data on their customers’ smartphones? At viaForensics we believe in proactive forensics – applying the power of forensic methods proactively to improve digital security. With appWatchdog we utilize forensic techniques to investigate consumer mobile apps and understand what user data is stored and could be at risk. This white paper summarizes our findings for the first 100 tests, from November 2010 through June 2011."
Supplement to Authentication in an Internet Banking Environment
Critical Infrastructures: Background, Policy, and Implementation -
John D. Moteff, Specialist in Science and Technology Policy, July 11, 2011: "This report discusses in more detail the evolution of a national critical infrastructure policy and the institutional structures established to implement it. The report highlights five issues of Congressional concern: identifying critical assets; assessing vulnerabilities and risks; allocating resources; information sharing; and regulation."
News release: "The Electronic Frontier Foundation (EFF), in collaboration with the Tor Project, has launched an official 1.0 version of HTTPS Everywhere, a tool for the Firefox web browser that helps secure web browsing by encrypting connections to more than 1,000 websites. HTTPS Everywhere was first released as a beta test version in June of 2010. Today's 1.0 version includes support for hundreds of additional websites, using carefully crafted rules to switch from HTTP to HTTPS. HTTPS protects against numerous Internet security and privacy problems, including the search hijacking on U.S. networks that was revealed by an article published today in New Scientist magazine. The article, entitled US internet providers hijacking users' search queries, documents how a company called Paxfire has been intercepting and altering search traffic on a number of ISPs' networks. HTTPS can prevent such attacks."
News release: "Acting on recent data that reveals many consumers still aren’t protected by even basic antivirus software when banking online, McAfee today released an educational guide for banking safely on computers, tablets or mobile devices. According to Javelin Strategy & Research, in 2010 47 percent of household financial managers did not have antivirus software installed. Combining McAfee intelligence with the latest U.S. banking data from many top sources revealed that most consumers fall into one of three categories of online banking behavior, and that age tends to play a strong role in safety and security habits online. Most people’s level of confidence with banking online is associated with their overall comfort level online, including participating in such activities as shopping, searching, and social networking."
"While the Internet can be a safe and convenient place to do business, scammers are out there in "cyber world" targeting unsuspecting consumers. The Looks Too Good To Be True.com website was built to educate you, the consumer, and help prevent you from becoming a victim of an Internet fraud scheme. The website was developed and is maintained by a joint federal law enforcement and industry task force. Funding for the site has been provided by the United States Postal Inspection Service and the Federal Bureau of Investigation. Key partners include the National White Collar Crime Center, Monster.com, Target and members of the Merchants Risk Council."
Department of Defense Strategy for Operating in Cyberspace, July 2011
"The purpose of this [June 22, 2011] Supplement to the 2005 Guidance (Supplement) is to reinforce the Guidance’s risk management framework and update the Agencies’ expectations regarding customer authentication, layered security, or other controls in the increasingly hostile online environment. The Supplement reiterates and reinforces the expectations described in the 2005 Guidance that financial institutions should perform periodic risk assessments considering new and evolving threats to online accounts and adjust their customer authentication, layered security, and other controls as appropriate in response to identified risks. It establishes minimum control expectations for certain online banking activities and identifies controls that are less effective in the current environment. It also identifies certain specific minimum elements that should be part of an institution’s customer awareness and education program."
Federal Register Volume 76, Number 125 (Wednesday, June 29, 2011)]
News release: "The Federal Trade Commission told Congress today during a hearing that to minimize the risk of identity theft or other harm, companies should employ reasonable safeguards to protect consumer information, collect only information for which they have a legitimate business need, and retain data only as long as necessary to fulfill the business purposes for which it was collected. The FTC also reiterated its recommendation that Congress pass legislation that would require companies to implement reasonable security practices and to notify consumers when there is a data security breach...The Commission expressed its support for federal legislation that would require companies to put reasonable data security policies and procedures in place, and to notify consumers when there has been a data security breach that affects them. The testimony notes that the Committee’s “Discussion Draft” of data security legislation accomplishes these key goals. The testimony highlights several other elements of the Discussion Draft, which gives the Commission authority to use the standard APA notice and comment procedures for rulemaking in connection with the legislation, provides for civil penalties for violations, and requires non-profit entities to adhere to the same data security and breach notification standards as for-profit entities."
A Policy Framework for the 21st Century Grid: Enabling Our Secure Energy Future, June 2011
News release: "The U.S. Department of Commerce today released a report that proposes voluntary codes of conduct to strengthen the cybersecurity of companies that increasingly rely on the Internet to do business, but are not part of the critical infrastructure sector. The report, Cybersecurity, Innovation and the Internet Economy, focuses on the “Internet and Information Innovation Sector” (I3S) – these are businesses that range from small and medium enterprises and bricks-and-mortar firms with online services, to social networking sites and Internet-only business, to cloud computing firms that are increasingly subject to cyber attacks."
HM Treasury Review of the Money Laundering Regulations 2007: the Government response, June 2011
News release: "AVG Technologies, Inc. announced it will make its leading Family Safety software available for free in exchange for a 99 cent donation to the American Red Cross family relief efforts in Joplin, Mo. The move comes in response to research the company conducted and has released over the course of the year on early childhood technology usage trends, “Digital Diaries" and is complemented with the release of a first-of-its-kind e-book and mobile application for teaching very young children the basics of online safety, Little Bird’s Internet Security Adventure.” AVG CEO JR Smith is making appearances across the country today urging parents to consider introducing their child to Little Bird to help them learn about online safety....Roughly half of today’s children (ages 6-9) are regularly talking to their friends online and using social networks, yet 58 percent of their parents admit they are not well-informed about their children’s online social networks. The “Digital Playground,” the third stage of AVG’s year-long “Digital Diaries” research program, further reveals the increasingly digitally-literate group of 6- to 9-year-olds and their parents in North America, Europe, Australia and New Zealand to find that:
Official Google Blog: "...Through the strength of our cloud-based security and abuse detection systems, we recently uncovered a campaign to collect user passwords, likely through phishing. This campaign, which appears to originate from Jinan, China, affected what seem to be the personal Gmail accounts of hundreds of users including, among others, senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists. The goal of this effort seems to have been to monitor the contents of these users’ emails, with the perpetrators apparently using stolen passwords to change peoples’ forwarding and delegation settings. (Gmail enables you to forward your emails automatically, as well as grant others access to your account.) Google detected and has disrupted this campaign to take users’ passwords and monitor their emails. We have notified victims and secured their accounts. In addition, we have notified relevant government authorities."
WSJ: "The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force. The Pentagon's first formal cyber strategy, unclassified portions of which are expected to become public next month, represents an early attempt to grapple with a changing world in which a hacker could pose as significant a threat to U.S. nuclear reactors, subways or pipelines as a hostile country's military. In part, the Pentagon intends its plan as a warning to potential adversaries of the consequences of attacking the U.S. in this way. "If you shut down our power grid, maybe we will put a missile down one of your smokestacks," said a military official. Recent attacks on the Pentagon's own systems—as well as the sabotaging of Iran's nuclear program via the Stuxnet computer worm—have given new urgency to U.S. efforts to develop a more formalized approach to cyber attacks. A key moment occurred in 2008, when at least one U.S. military computer system was penetrated. This weekend Lockheed Martin, a major military contractor, acknowledged that it had been the victim of an infiltration, while playing down its impact."
G8 Summit of Deauville - May 26-27, 2011: "We discussed new issues such as the Internet which are essential to our societies, economies and growth. For citizens, the Internet is a unique information and education tool, and thus helps to promote freedom, democracy and human rights. The Internet facilitates new forms of business and promotes efficiency, competitiveness, and economic growth. Governments, the private sector, users, and other stakeholders all have a role to play in creating an environment in which the Internet can flourish in a balanced manner. In Deauville in 2011, for the first time at Leaders' level, we agreed, in the presence of some leaders of the Internet economy, on a number of key principles, including freedom, respect for privacy and intellectual property, multi-stakeholder governance, cyber-security, and protection from crime, that underpin a strong and flourishing Internet. The "e-G8" event held in Paris on 24 and 25 May was a useful contribution to these debates."
"White House officials released an international cyberstrategy here today that will help to build a “coalition of nations [with a] mutual interest in securing cyberspace,” Deputy Defense Secretary William J. Lynn III said...To realize fully the benefits that networked technology promises the world, these systems must function reliably and securely. People must have confidence that data will travel to its destination without disruption. Assuring the free flow of information, the security and privacy of data, and the integrity of the interconnected networks themselves are all essential to American and global economic prosperity, security, and the promotion of universal rights. Almost a third of the world’s population uses the Internet and countless more are touched by it in their daily lives. There are more than four billion digital wireless devices in the world today. Scarcely a halfcentury ago, that number was zero. We live in a rare historical moment with an opportunity to build on cyberspace’s successes and help secure its future for U.S. citizens and the global community. For these technologies to continue to empower individuals, enrich societies, and foster the research, development, and innovation essential to building modern economies, it must retain the openness and interoperability that have characterized its explosive growth. Underlying these are technical principles and effective governance structures that demand our support. At the same time, our networks must be secure and reliable; they must retain the trust of individuals, businesses and governments, and should be resilient to arbitrary or malicious disruption."
"...the Administration has transmitted a cybersecurity legislative proposal to Capitol Hill in response to Congress’ call for assistance on how best to address the cybersecurity needs of our Nation. This is a milestone in our national effort to ensure secure and reliable networks for Americans, businesses, and government; fundamentally, this proposal strikes a critical balance between maintaining the government’s role and providing industry with the capacity to innovatively tackle threats to national cybersecurity. Just as importantly, it does so while providing a robust framework to protect civil liberties and privacy."
Via CDT - The Threat of Data Theft to American Consumers: "Two high profile data (Sony's Playstation and Epsilon) breaches have grabbed headlines lately because of their recency, data breach is a major longstanding problem for consumers, businesses and government. According to Privacy Rights Clearinghouse, a staggering 600 million records have been breached due to the roughly 2,460 data breaches made public since 2005.5 According to a 2010 Ponemon benchmark study, the cost of data breaches to businesses – in terms of preventing, detecting, and notifying individuals of breach, as well as legal defense and lost business opportunities – have risen considerably over the past several years. Consumers whose personal information is lost or stolen in data breaches face increased risks of identity theft, spam and phishing attacks, reduced trust toward services on which they depend, and sometimes humiliating loss of privacy over sensitive medical conditions."
News release: 1E, the global leader in IT efficiency software today announced the results of an independent study of IT professionals in the United States and United Kingdom into software efficiency. The study, commissioned in association with the International Association of Information Technology Asset Managers (IAITAM) and the Federation Against Software Theft Investors in Software (FASTIiS) conducted by Opinion Matters, revealed that software waste is endemic in organizations today, preventing cost efficiencies and unnecessarily draining IT budgets....The results of the software efficiency study were broadly similar in both territories. The study found that just 8 percent of UK organizations and 9 percent of US organizations systematically reclaim unused software licenses to save money. Respondents cited concerns about user reaction, business risk and lack of tools as reasons against action; however, the report found a clear financial imperative for every organization to do so:
DOJ OIG: The Federal Bureau of Investigation's Ability to Address the National Security Cyber Intrusion Threat (Redacted Version), Audit Report 11-22, April 2011
Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy, Jerry Brito & Tate Watkins, Mercatus Center at George Mason University, Apr 26, 2011.
EPIC: "Senator Richard Blumenthal (D-CT) wrote to Attorney General Eric Holder asking that the Department of Justice open an investigation into the Sony PlayStation security breach. Sony recently informed PlayStation Network customers that an "unauthorized user" had obtained the personal and financial information of 70 million gamers, including minors. Blumenthal wrote that whomever hacked into the PlayStation Network violated the Computer Fraud and Abuse Act. He also expressed concern about Sony's week-long delay in notifying users about the breach. In 2009, EPIC testified before Congress about the need to strengthen data breach notification laws, noting "in the absence of security obligations and breach notification requirements, it is too easy for firms to continue bad practices." For more information, see EPIC: Identity Theft.
News release: "The Electronic Frontier Foundation (EFF) and Access have launched an international campaign for HTTPS Now, rallying consumers around the world to help us make web surfing safer. HTTPS (Hypertext Transfer Protocol Secure) protects web surfing by encrypting requests from a user's browser and the resulting pages that are displayed, but many websites default to using the unencrypted and vulnerable HTTP protocol. The HTTPS Now campaign takes a three-pronged approach to protecting web surfing, including distributing updated tools for people to use to protect their web browsing, taking an Internet-wide survey of the state of HTTPS deployment, and helping website operators implement HTTPS. As a first step, individuals using the web are encouraged to install HTTPS Everywhere, a security tool for the Firefox browser developed by EFF and the Tor Project. HTTPS Everywhere automatically encrypts a user's browsing, changing it from HTTP to HTTPS whenever possible."
Declan McCullagh,Chief political correspondent, CNET: How police have obtained iPhone, iPad tracking logs
Best Practices for Keeping Your Home Network Secure, April 2011.
News release: "Data loss through cyber attacks decreased sharply in 2010, but the total number of breaches was higher than ever, according to the "Verizon 2011 Data Breach Investigations Report." These findings continue to demonstrate that businesses and consumers must remain vigilant in implementing and maintaining security practices. The number of compromised records involved in data breaches investigated by Verizon and the U.S. Secret Service dropped from 144 million in 2009 to only 4 million in 2010, representing the lowest volume of data loss since the report's launch in 2008. Yet this year's report covers approximately 760 data breaches, the largest caseload to date. According to the report, the seeming contradiction between the low data loss and the high number of breaches likely stems from a significant decline in large-scale breaches, caused by a change in tactics by cybercriminals. They are engaging in small, opportunistic attacks rather than large-scale, difficult attacks and are using relatively unsophisticated methods to successfully penetrate organizations. For example, only 3 percent of breaches were considered unavoidable without extremely difficult or expensive corrective action. The report also found that outsiders are responsible for 92 percent of breaches, a significant increase from the 2010 findings. Although the percentage of insider attacks decreased significantly over the previous year (16 percent versus 49 percent), this is largely due to the huge increase in smaller external attacks. As a result, the total number of insider attacks actually remained relatively constant.
Presidential Policy Directive PPD-8, National Preparedness, March 30, 2011 [via FAS]
Via EPIC: "Epsilon, a large marketing firm, has lost the names and e-mail addresses of customers of Walgreens, JP Morgan Chase, Capitol One, Tivo, and other large companies. The firm announced the data breaches late last week. Data service providers, such as Epsilon, are not well known by consumers and are not typically regulated. Epsilon provides data analytics, targeting, profiling of customers, as well as e-mail tracking services. Previously, EPIC provided comments to the Federal Trade Commission and testimony to the United States Congress on the need for comprehensive privacy protection for customer data."
Symantec Internet Security Threat Report Trends for 2010, Volume 16, Published April 2011
"Federal Trade Commission Chairman Jon Leibowitz today issued the FTC’s 2011 Annual Report at the American Bar Association’s Section of Antitrust Law Spring Meeting in Washington, DC, highlighting the agency’s continued efforts to protect financially distressed consumers and promote competition during the economic downturn.
Smartphone Security - Survey of U.S. consumers, Ponemon Institute© Research Report, Sponsored by AVG Technologies, Independently conducted by Ponemon Institute LLC, Publication Date: March 2011
News release: "The Ponemon Institute proudly presents the 2010 U.S. Cost of a Data Breach, the sixth annual study concerning the cost of data breach incidents for U.S.-based companies sponsored by Symantec Corporation. The average organizational cost of a data breach increased to $7.2 million and cost companies an average of $214 per compromised record, markedly higher when compared to $204 in 2009. The study also found that for the second straight year organizations’ need to respond rapidly to data breaches drove the associated costs higher. The sixth annual Ponemon Cost of a Data Breach report is based on the actual data breach experiences of 51 U.S. companies from 15 different industry sectors."
You Have No Sovereignty Where We Gather – Wikileaks and Freedom, Autonomy and Sovereignty in the Cloud, Balázs Bodó - Budapest University of Technology and Economics; Stanford Law School Center for Internet and Society, March 7, 2011
News release: "For the first time, industry groups and civil liberties interests have come together to advocate a comprehensive, common approach to cybersecurity. That approach is reflected in today's release of a cybersecurity white paper that rejects government mandates and advocates for a stronger partnership between industry and government. The 20-page white paper is a joint release from CDT, U.S. Chamber of Commerce, Business Software Alliance, TechAmerica, and the Internet Security Alliance."
News release: "The Federal Trade Commission today released the list of top consumer complaints received by the agency in 2010. The list showed that for the 11th year in a row, identity theft was the number one consumer complaint category. Of 1,339,265 complaints received in 2010, 250,854 – or 19 percent – were related to identity theft. Debt collection complaints were in second place, with 144,159 complaints. The report breaks out complaint data on a state-by-state basis and also contains data about the 50 metropolitan areas reporting the highest per capita incidence of fraud and other complaints. In addition, the 50 metropolitan areas reporting the highest incidence of identity theft are noted."
ChronoPay’s Scareware Diaries: "If your Windows PC has been hijacked by fake anti-virus software or “scareware” anytime in the past few years, chances are good that the attack was made possible by ChronoPay, Russia’s largest processor of online payments. Tens of thousands of documents stolen and leaked last year from ChronoPay offer a fascinating look into a company that has artfully cultivated and handsomely profited from the market for scareware, programs that infiltrate victim PCs to display fake security alerts in a bid to frighten users into paying for worthless security software."
2010 Internet Crime Report, The Internet Crime Complaint Center (IC3), February 2011
The Cost of Cybercrime: A Detica Report in Partnership with the Office of Cyber Security and Information Assurance in the Cabinet Office, February 17, 2011
"The U.S. Office of Personnel Management (OPM), the Chief Information Officers (CIO) Council and the Chief Human Capital Officers Council's Workforce Development Subcommittee identified cybersecurity related occupations as high priorities for Governmentwide competency models. In November 2009, OPM initiated a Governmentwide study to identify critical competencies for cybersecurity work, working with the CIO Council and the National Initiative for Cybersecurity Education (NICE). Subject matter experts provided key insights, and employees and supervisors across the Government completed surveys to paint a comprehensive picture of cybersecurity work. We are pleased to provide the attached Cybersecurity competency model to support your human resources initiatives. The competencies identified may be used in such agency efforts as workforce planning, training and development, performance management, recruitment, and selection. When used for selection, the competencies must be used in conjunction with the appropriate qualification standard."
10 Conservative Principles for Cybersecurity Policy, by Paul Rosenzweig, George Washington University School of Law; Posted FEbruary 10, 2011
Official Google Blog: "Has anyone you know ever lost control of an email account and inadvertently sent spam—or worse—to their friends and family? There are plenty of examples...that demonstrate why it's important to take steps to help secure your activities online. Your Gmail account, your photos, your private documents—if you reuse the same password on multiple sites and one of those sites gets hacked, or your password is conned out of you directly through a phishing scam, it can be used to access some of your most closely-held information...2-step verification requires two independent factors for authentication, much like you might see on your banking website: your password, plus a code obtained using your phone. Over the next few days, you'll see a new link on your Account Settings page."
2010 U.S. Intellectual Property Enforcement Coordinator Annual Report on Intellectual Property Enforcement, U.S. Intellectual Property Enforcement Coordinator, February 2011
Federal Computer Week: "The White House's unclassified e-mail system is back up after an eight-hour outage, but the e-mail security problems may go deeper. It was disclosed February 4, 2011 that some officials alleged White House e-mails were the source of a cyberattack against British officials two months ago. Officials from the United Kingdom said today that alleged White House e-mail accounts were the source of a malware attack against U.K. government officials in late December, according to news report."
Computerworld via WSJ: "Federal authorities are investigating a computer intrusion at the company that runs the Nasdaq stock exchange, the Wall Street Journal reported Friday. According to the report, which cites anonymous sources, Nasdaq OMX Group computers were compromised sometime over the past year, but the company's trading platform was unaffected. "So far, [the perpetrators] appear to have just been looking around," the Journal quotes one source as saying. Nasdaq OMX Group runs a number of stock exchanges, including the U.S. Nasdaq, and exchanges that trade in Copenhagen, Stockholm, Helsinki, and the Baltic region. The investigation is being conducted by the U.S. Federal Bureau of Investigation and the U.S. Secret Service, the report states."
Audit Report, Federal Energy Regulatory Commission's Monitoring of Power Grid Cyber Security, DOE/IG-0846, January 2011
Arbor Networks' Sixth Annual Worldwide Infrastructure Security Report
News release: "At the request of the Federal Trade Commission, a federal court has frozen the assets of corporations and an individual behind a far-reaching Internet enterprise that allegedly made more than $275 million by luring consumers into deceptive “trial” memberships, and bogus government-grant and money-making schemes. The court froze the assets of 61 corporations (collectively known as “I Works”) and their alleged ringleader, Jeremy Johnson. It placed these defendants’ assets under the control of a court-supervised receiver to help ensure that funds are available for consumer restitution when the case is concluded. In December 2010, the FTC alleged that I Works lured consumers into “trial” memberships for bogus government-grant and money-making schemes, and then repeatedly charged monthly fees for these and other memberships the consumers never ordered. According to the FTC’s complaint, the operation used websites that pitch various money-making programs or tout the availability of government grants to pay personal expenses."
National Security Cyberspace Institute - Federal Government Cybersecurity Progress: Obama Administration Report Card 2009-Present
The Man Who Spilled the Secrets: "The collaboration between WikiLeaks founder Julian Assange, the Web’s notorious information anarchist, and some of the world’s most respected news organizations began at The Guardian, a nearly 200-year-old British paper. What followed was a clash of civilizations—and ambitions—as Guardian editors and their colleagues at The New York Times and other media outlets struggled to corral a whistle-blowing stampede amid growing distrust and anger. With Assange detained in the U.K., the author reveals the story behind the headlines." By Sarah Ellison
Follow up to Critical Undersea Internet Cables Damaged Between Europe and Mideast, this related commentary, Undersea Cables: The Achilles Heel of our Economies, by Franz-Stefan Gady
"On January 10, 2011, the EastWest Institute released a report detailing the results of the First Worldwide Cybersecurity Summit: Protecting the Digital Economy, and outlining the cybersecurity initiative’s next steps as it prepares for the Second Worldwide Cybersecurity Summit in London on June 1-2. At the summit, held from May 3 to 5, 2010 in Dallas, Texas, EWI brought together over 400 technical experts, policy elites and national security officials from the Cyber40, an informal grouping of the world’s most digitally-advanced countries—among others, the United States, China, India, Russia and Estonia. Participants worked to identify problems facing crucial sectors of the Internet, such as financial services and essential government services, and forge concrete solutions to protect the world’s digital infrastructure."
News release: "At a forum with Silicon Valley business and academic leaders at Stanford University, U.S. Commerce Secretary Gary Locke and White House Cybersecurity Coordinator Howard A. Schmidt announced plans to create a National Program Office to help foster an environment in which sensitive online transactions can be carried out with greater levels of trust. The National Program Office, to be established within the Department of Commerce, would coordinate federal activities needed to implement the National Strategy for Trusted Identities in Cyberspace (NSTIC), an Obama administration initiative aimed at establishing identity solutions and privacy-enhancing technologies that will make the online environment more secure and convenient for consumers. The national office would serve as the point of contact to bring the public and private sectors together to meet this challenge."
News release: "Most Federal employees go beyond baseline IT security requirements, according to a new survey by the Government Business Council, the research division of Government Executive Media Group, and CDW Government LLC (CDW-G), a leading provider of technology solutions to government, education and healthcare customers. While 97 percent of Federal employees are required by their agencies to use authentication measures such as passwords, security tokens and biometric identifiers, most take still more security precautions to protect agency data. Respondents noted that they proactively lock their screens when they are away from their computers and only use secure network connections and agency-issued machines to further secure information...The survey, underwritten by CDW-G in partnership with HP, conducted in September 2010, captured the views of 230 randomly selected Federal defense and civilian decision makers."
Top Issues Facing Social Security Administration Management - Fiscal Year 2011, December 2010
Help Net: "In October Commtouch reported an 18% drop in global spam levels (comparing September and October). This was largely attributed to the closure of Spamit around the end of September. Spamit is the organization allegedly behind a fair percentage of the worlds pharmacy spam. Analysis of the spam trends to date reveals a further drop in the amounts of spam sent during Q4 2010. December’s daily average was around 30% less than September’s. The average spam level for the quarter was 83% down from 88% in Q3 2010. The beginning of December saw a low of nearly 74%."
"The Berkman Center for Internet & Society is pleased to share a new report, Distributed Denial of Service Attacks Against Independent Media and Human Rights Sites by Ethan Zuckerman, Hal Roberts, Ryan McGrady, Jillian York, John Palfrey
Escaping from Microsoft’s Protected Mode Internet Explorer - Evaluating a potential security boundary, November 2010
Following WikiLeaks Releases Secret US Embassy Cables, confirmation that China hacked Google's source code - see also related information on this issue from TechCrunch.
Holiday Shopping Tips: "This holiday season the FBI reminds shoppers that cyber criminals aggressively create new ways to steal money and personal information. Scammers use many techniques to fool potential victims, including conducting fraudulent auction sales, reshipping merchandise purchased with stolen credit cards, and selling fraudulent or stolen gift cards through auction sites at discounted prices...If you have received a scam email, please notify the IC3 by filing a complaint at http://www.IC3.gov. For more information on e-scams, please visit the FBI's New E-Scams and Warnings webpage at http://www.fbi.gov/cyberinvest/escams.htm."
News release: "The Electronic Frontier Foundation (EFF) has launched a new version of HTTPS Everywhere, a security tool that offers enhanced protection for Firefox browser users against "Firesheep" and other exploits of webpage security flaws. HTTPS secures web browsing by encrypting both requests from your browser to websites and the resulting pages that are displayed. Without HTTPS, your online reading habits and activities are vulnerable to eavesdropping, and your accounts are vulnerable to hijacking... This new version of HTTPS Everywhere responds to growing concerns about website vulnerability in the wake of Firesheep, an attack tool that could enable an eavesdropper on a network to take over another user's web accounts -- on social networking sites or webmail systems, for example -- if the browser's connection to the web application either does not use cryptography or does not use it thoroughly enough...Other sites targeted by Firesheep that now receive protection from HTTPS Everywhere include Bit.ly, Cisco, Dropbox, Evernote, and GitHub. In addition to the HTTPS Everywhere update, EFF also released a guide to help website operators implement HTTPS properly."
Follow up to Major International Hacker Pleads Guilty For Massive Attack On U.S. Retail And Banking Networks, this Sunday New York Times cover article, The Great Cyberheist, details the remarkable double life of a young man who received the "longest sentence ever handed down to an American for computer crimes."
Proceedings of a Workshop on Deterring CyberAttacks: Informing Strategies and Developing Options for U.S. Policy, October 2010.
Google Confronts China’s “Three Warfares”, by Timothy L. Thomas. Parameters, Summer 2010, Vol. 40, No. 2, U.S. Army War College.
State Governments at Risk: A Call to Secure Citizen Data and Inspire Public Trust, September 2010
Identity Theft Trends, Patterns, and Typologies Reported in Suspicious Activity Reports Filed by Depository Institutions January 1, 2003 – December 31, 2009, released October 2010 by the Financial Crimes Enforcement Network
A Strong Britain in an Age of Uncertainty: The National Security Strategy, October 2010.
News release: "This is National Protect Your Identity Week, and the Federal Trade Commission, the nation’s consumer protection agency, has information to help consumers, businesses, and law enforcement officials safeguard personal information and take action if an identity thief strikes.
State of the Internet 2010: A Report on the Ever-Changing Threat Landscape, CA Technologies Internet Security Business Unit
Internet Security Intelligence Report, October 2010
WSJ: "Many of the most popular applications, or "apps," on the social-networking site Facebook Inc. have been transmitting identifying information—in effect, providing access to people's names and, in some cases, their friends' names—to dozens of advertising and Internet tracking companies, a Wall Street Journal investigation has found. The issue affects tens of millions of Facebook app users, including people who set their profiles to Facebook's strictest privacy settings. The practice breaks Facebook's rules, and renews questions about its ability to keep identifiable information about its users' activities secure. The problem has ties to the growing field of companies that build detailed databases on people in order to track them online—a practice the Journal has been examining in its What They Know series. It's unclear how long the breach was in place. On Sunday, a Facebook spokesman said it is taking steps to "dramatically limit" the exposure of users' personal information."
News release: [On September 22, 2010] the Federal Trade Commission told a Senate Subcommittee that it supports proposed legislation that would require many companies to use reasonable data security policies and procedures and require those companies to notify consumers when there is a security breach. In testimony before the Committee on Science, Commerce, and Transportation Subcommittee on Consumer Protection, Product Safety and Insurance, Maneesha Mithal, Associate Director for Privacy and Identity Protection at the FTC told the Subcommittee that problems with data security and breaches affect a wide array of both businesses and nonprofit organizations..
The testimony states that the agency suggests three additional measures that could be included in the proposed legislation to protect consumers. First, the provision that requires that companies notify consumers in the event of an information security breach should not be limited to entities that possess data in electronic form; second, the proposed requirements should be extended so that they apply to telephone companies; and third, the Commission suggests that the bill grant the agency rulemaking authority to determine circumstances under which providing free credit reports or credit monitoring may not be warranted."
House Armed Services Committee: The Terrorism, Unconventional Threats, and Capabilities Subcommittee met to receive testimony on Operating in the Digital Domain: Organizing the Military Departments for Cyber Operations, September 23, 2010.
"The recent announcement that the Department of Defense (DOD) suffered a major compromise of classified military computer networks has renewed discussions about what more DOD and the government should do to operate in the digital domain. The establishment of U.S. Cyber Command and the announcement of a new cybersecurity strategy by Deputy Secretary of Defense William Lynn are important milestones, but more needs to be done....the Subcommittee is looking to discuss three main objectives for this hearing:
Hybrid Warfare, GAO-10-1036R, September 10, 2010
News release: "The airline industry, already challenged by the worst economic crisis in a generation and a massive loss of business through the Icelandic volcano disruptions, is still losing millions of dollars to fraud. A recent survey conducted by Deloitte on behalf of the International Association of Airline Auditors (IAAIA) revealed that fraud is costing each airline an average of US$2.4 million annually. Compared to the cost of the volcanic ash drama, this may not seem a large amount, but combined with the knock-on impact on customer loyalty through unchecked fraudulent practices, it can add up to a much more serious problem. Our findings reveal that a third of airlines believe fraud to be a significant problem, and one that has increased in the past year. The results of the survey make intriguing reading for anyone working in the industry. The biggest threat today comes from credit card crime, which was highlighted in a similar survey conducted by Deloitte three years ago. Organized crime, weak technology controls, and the lack of resources to monitor fraud were given as additional risk factors, with some airlines saying staff training was also inadequate."
Interbank transaction data stripped from entities blacklisted by DOJ for money laundering: "Last week Britain's Barclays Bank became the latest foreign bank to be penalized hundreds of millions of dollars for allegedly helping US-sanctioned parties clandestinely move large sums of money through the American financial system. Barclays agreed to pay $298 million for allegedly helping clients in Iran, Cuba, Libya, Sudan and Burma by "stripping" international wire transfer messages, that is, by removing any reference to the sanctioned parties so that the US banks clearing the transactions did not know that a sanctioned party was involved and therefore did not block or freeze the transaction. As odd as it may seem, this practice appears to have been commonplace amongst European banks just a few years ago. The homeland security implications are staggering."
Forbes: "The U.S. Department of Energy is in a class by itself, though. The agency receives more than 10 million attacks every day, according to Tom Pyke, the DOE's former CIO. That includes everything from simple scans all the way up to phishing attacks that attempt to use malicious code to take over. And it can be as sophisticated as any attacker--think government--can make it."
2010 Data Breach Investigations Report, A study conducted by the Verizon RISK Team in cooperation with the United States Secret Service
Cyberspace: United States Faces Challenges in Addressing Global Cybersecurity and Governance, GAO-10-606, July 02, 2010
News release: "The National Cyber Security Alliance (NCSA), a public-private partnership focused on educating a digital citizenry to stay safe and secure online, today launched its National Cyber Security Awareness Month Web portal with information on events, activities, promotions and educational materials to be used in preparation for the online safety month to be held in October. Anyone – family, employers, consumers, teachers, and students – interested in online safety is encouraged to access the portal, and all materials are free to use."
[Federal Register: July 28, 2010 (Volume 75, Number 144)] [Notices][Page 44216-44223]: "The Department of Commerce's Internet Policy Task Force is conducting a comprehensive review of the nexus between cybersecurity challenges in the commercial sector and innovation in the Internet economy. The Department seeks comments from all stakeholders, including the commercial, academic and civil society sectors, on measures to improve cybersecurity while sustaining innovation. Preserving innovation, as well as private sector and consumer confidence in the security of the Internet economy, are important for promoting economic prosperity and social well-being overall. In particular, the Department seeks to develop an up-to-date understanding of the current public policy and operational challenges affecting cybersecurity, as those challenges may shape the future direction of the Internet and its commercial use, both domestically and globally. After analyzing comments on this Notice, the Department intends to issue a report that will contribute to the Administration's domestic and international policies and activities in advancing both cybersecurity and the Internet economy."
"EPIC Executive Director Marc Rotenberg testified [July 15, 2010]before the House Committee on Science and Technology regarding Planning for the Future of Cyber Attack Attribution. In his prepared statement, Mr. Rotenberg discussed "the risks and limitations of a mandatory Internet ID that may be favored by some as a way to address the risk of cyber attack." He explained how such a proposal would implicate human rights and online freedom, and questioned the constitutionality of such a measure. EPIC recommended that efforts continue to focus on improving security standards, deploying encryption, and requiring federal agencies to remain transparent as they develop cyber security policies."
The Comprehensive National Cybersecurity Initiative: "President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, but one that we as a government or as a country are not adequately prepared to counter. Shortly after taking office, the President therefore ordered a thorough review of federal efforts to defend the U.S. information and communications infrastructure and the development of a comprehensive approach to securing America’s digital infrastructure."
Twitter Settles Charges that it Failed to Protect Consumers’
Personal Information; Company Will Establish Independently Audited Information Security Program: "Social networking service Twitter has agreed to settle Federal Trade Commission charges that it deceived consumers and put their privacy at risk by failing to safeguard their personal information, marking the agency’s first such case against a social networking service. The FTC’s complaint against Twitter charges that serious lapses in the company’s data security allowed hackers to obtain unauthorized administrative control of Twitter, including access to non-public user information, tweets that consumers had designated private, and the ability to send out phony tweets from any account including those belonging to then-President-elect Barack Obama and Fox News, among others."
The Protecting Cyberspace as a National Asset Act of 2010 - This webpage links to facts sheets, summaries, comparisons and other relevant documents on this controversial legislation.
News release: "The Financial Crimes Enforcement Network (FinCEN) today released its 14th edition of the SAR Activity Review – By the Numbers, which covers suspicious activity reports (SARs) filed in 2009. The report shows that the total number of all SARs filed by financial institutions declined from 1.29 million in 2008 to 1.28 million in 2009. This is the first time since 1996 that the total number of SARs filed declined over a one-year period. SARs filed by depository institutions declined for the first time from 732,563 in 2008 to 720,309 in 2009."
U.S. Computer Emergency Readiness Team Makes Progress in Securing Cyberspace, but Challenges Remain, OIG-10-94, June 2010
News release: "A report released by UN Office on Drugs and Crime shows how organized crime has globalized and turned into one of the world's foremost economic and armed powers. The Globalization of Crime: A Transnational Organized Crime Threat Assessment, released at the Council of Foreign Relations in New York, looks at major trafficking flows of drugs (cocaine and heroin), firearms, counterfeit products, stolen natural resources and people (for sex and forced labour), as well as smuggled migrants. It also covers maritime piracy and cybercrime."
Follow up to New Yorker: Julian Assange and WikiLeak's mission for total transparency news from two sources on converging aspects of leaking national security data via MSM and alternative news outlets.
No Secrets, by Raffi Khatchadourian: "[Julian Paul] Assange is an international trafficker, of sorts. He and his colleagues collect documents and imagery that governments and other institutions regard as confidential and publish them on a Web site called WikiLeaks.org. Since it went online, three and a half years ago, the site has published an extensive catalogue of secret material, ranging from the Standard Operating Procedures at Camp Delta, in Guantánamo Bay, and the “Climategate” e-mails from the University of East Anglia, in England, to the contents of Sarah Palin’s private Yahoo account. The catalogue is especially remarkable because WikiLeaks is not quite an organization; it is better described as a media insurgency. It has no paid staff, no copiers, no desks, no office. Assange does not even have a home. He travels from country to country, staying with supporters, or friends of friends—as he once put it to me, “I’m living in airports these days.” He is the operation’s prime mover, and it is fair to say that WikiLeaks exists wherever he does. At the same time, hundreds of volunteers from around the world help maintain the Web site’s complicated infrastructure; many participate in small ways, and between three and five people dedicate themselves to it full time. Key members are known only by initials—M, for instance—even deep within WikiLeaks, where communications are conducted by encrypted online chat services. The secretiveness stems from the belief that a populist intelligence operation with virtually no resources, designed to publicize information that powerful institutions do not want public, will have serious adversaries."
FT.com: "Google is phasing out the internal use of Microsoft’s ubiquitous Windows operating system because of security concerns, according to several Google employees. The directive to move to other operating systems began in earnest in January, after Google’s Chinese operations were hacked, and could effectively end the use of Windows at Google, which employs more than 10,000 workers internationally."
EPIC: "A new White House memo sets out the Federal Information Security Management Act of 2002 (FISMA) standards for federal agencies. All agencies must comply with the FISMA standard and report security practices for information under agency control. The standard also extends obligations to agency contractors. By November 15, 2010, all agencies must be capable of monitoring all information traffic on their networks; and make reports to CyberScope, a platform launched last year to provide a single government-wide security management tool for FISMA reports. The Memorandum included requirements to respond to breaches of personal information. Agency Inspectors General will provide oversight of agency FISMA compliance."
"The Symantec Internet Security Threat Report provides an annual overview and detailed analysis of Internet threat activity, malicious code, and known vulnerabilities. The report also discusses trends in phishing, spam and observed activities on underground economy servers...report sathe ys the U.S. was top country for malicious activity, making up 19% total."
Global Cyber Deterrence - Views from China, the U.S., Russia, India, and Norway by Tang Lan, Zhang Xin, Harry D. Raduege, Jr., Dmitry I. Grigoriev, Pavan Duggal, and Stein Schjølberg. Edited by Andrew Nagorski. April 2010
Follow up to Google Announces "A new approach to China", from the New York Times: "Ever since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret. But a person with direct knowledge of the investigation now says that the losses included one of Google’s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company’s web services, including e-mail and business applications."
NIST Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), Recommendations of the National Institute of Standards and Technology, Erika McCallister, Tim Grance, Karen Scarfone, April 2010.
"How well prepared are IT professionals within U.S. government agencies to respond to foreign cyber threats? Will government initiatives, such as the Comprehensive National Cybersecurity Initiative and the creation of the U.S. National Cybersecurity Coordinator role, be effective in addressing the challenges facing U.S. critical IT infrastructure? What is the impact of compliance on security within the federal IT environment? Commissioned by Lumension, Clarus Research Group set about to answer these and other important questions facing federal IT in Lumension’s Federal Cyber Security Outlook for 2010: National IT Security Challenges Mounting study. Clarus Research Group interviewed over 200 federal IT decision-makers and influencers about endpoint operations, IT security and compliance issues."
"This report [by the Committee on Deterring Cyberattacks; National Research Council] is the first phase of a larger project to conduct a broad, multidisciplinary examination of deterrence strategies and their possible utility to the U.S. government in its policies toward preventing cyberattacks. This first phase identifies the key issues and questions that merit examination. The next phase will engage experts to prepare papers that address key issues and questions, including those posed here. This letter report provides basic information needed to understand the nature of the problem and to articulate important questions that can drive research regarding ways of more effectively preventing, discouraging, and inhibiting hostile activity against important U.S. information systems and networks."
Information Warfare Monitor: "The Information Warfare Monitor/ (Citizen Lab, Munk School of Global Affairs, University of Toronto and the SecDev Group, Ottawa) and the Shadowserver Foundation announce the release of Shadows in the Cloud: An investigation into cyber espionage 2.0. The report documents a complex ecosystem of cyber espionage that systematically targeted and compromised computer systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries."
Follow up to postings on security issues and erasing hard drive, from Gizmodoa detailed article with accompanying screen shots and product references: "With stories abounding of identity theft aided by information lifted from discarded storage devices, you want devices you no longer plan to use to have no usable information when they head out the door. Here's how to wipe them clean...When you erase/delete a file from your computer, it's not really gone until the areas of the disk it used are overwritten by new information. If you use the normal Windows delete function, the "deleted" file is sent to the Recycle Bin until the space it uses is required by other files. If you use Shift-Delete to bypass the Recycle Bin, the space occupied by the file is marked as available for other files. However, the file could be recovered days or even weeks later with third-party data recovery software. As long as the operating system does not reuse the space occupied by a file with another file, the "deleted" file can be recovered."
News release: "The Federal Trade Commission today reported to Congress that it is getting the word out about Internet safety for children by aggressively promoting a new booklet, Net Cetera: Chatting with Kids About Being Online, to schools, police and sheriff’s departments, and PTAs nationwide. Net Cetera explains to parents and their children how to deal with issues such as social networking, cyberbullying, using mobile phones safely, and protecting the family computer from badware. The booklet is practical, plain-language, and value-neutral, so all parents – regardless of whether they are technologically savvy – can use it to help their kids make better decisions about online behavior. It is the most recent addition to the OnGuardOnline.gov consumer education campaign, which helps people guard against Internet fraud, secure their computers, and protect their privacy."
Although many organizations do not report breaches on a timely basis, or in many instances, report them at all, the most recent Identity Theft Resource Center report reveals data protection remains a critical issue for organizations, especially financial services.
Follow up to Major International Hacker Pleads Guilty For Massive Attack On U.S. Retail And Banking Networks, this DOJ news release: "The leader of the largest hacking and identity theft ring ever prosecuted by the U.S. government has been sentenced to 20 years and one day in prison for his role in a series of hacks into a major payment processor and several retail networks, announced Assistant Attorney General for the Criminal Division Lanny A. Breuer; U.S. Attorney for the District of Massachusetts Carmen Milagros Ortiz; U.S. Attorney for the Eastern District of New York Benton J. Campbell; U.S. Attorney for the District of New Jersey Paul J. Fishman; and Director of the U.S. Secret Service Mark Sullivan."
News release: Prepared Statement of the Federal Trade Commission On Keeping Score on Credit Scores: An Overview of Credit Scores, Credit Reports and Their Impact on Consumers, Presented by David Vladeck, Director, Bureau of Consumer Protection, Before the Subcommittee On Financial Institutions and Consumer Credit of the Committee On Financial Services, United States House of Representatives (March 24, 2010)
Cisco 2009 Annual Security Report Highlighting global security threats and trends: "The Cisco® Annual Security Report provides an overview of the combined security intelligence of the entire Cisco organization. The report encompasses threat information and trends collected between January and December 2009. It also provides a snapshot of the state of security for that period, with special attention paid to key security trends expected for 2010."
Official Google Blog: "On January 12, we announced on this blog that Google and more than twenty other U.S. companies had been the victims of a sophisticated cyber attack originating from China, and that during our investigation into these attacks we had uncovered evidence to suggest that the Gmail accounts of dozens of human rights activists connected with China were being routinely accessed by third parties, most likely via phishing scams or malware placed on their computers. We also made clear that these attacks and the surveillance they uncovered—combined with attempts over the last year to further limit free speech on the web in China including the persistent blocking of websites such as Facebook, Twitter, YouTube, Google Docs and Blogger—had led us to conclude that we could no longer continue censoring our results on Google.cn. So earlier today we stopped censoring our search services—Google Search, Google News, and Google Images—on Google.cn. Users visiting Google.cn are now being redirected to Google.com.hk, where we are offering uncensored search in simplified Chinese, specifically designed for users in mainland China and delivered via our servers in Hong Kong. Users in Hong Kong will continue to receive their existing uncensored, traditional Chinese service, also from Google.com.hk."
News release: "The Internet Crime Complaint Center (IC3), a partnership between the FBI and the National White Collar Crime Center (NW3C), released the 2009 Annual Report about fraudulent activity on the Internet today. Online crime complaints increased substantially once again last year, according to the report. The IC3 received a total of 336,655 complaints, a 22.3 percent increase from 2008. The total loss linked to online fraud was $559.7 million; this is up from $265 million in 2008."
News release: "FinCEN joins with other Federal, State and Local government agencies and consumer protection organizations to recognize the 12th Annual National Consumer Protection Week (NCPW), March 7-13. This coordinated consumer education campaign encourages individuals across the country to take full advantage of their consumer rights. FinCEN provides a number of special resources to educate consumers, and the financial institutions that serve them, of potential fraud and scam attempts. FinCEN's rules help consumers by requiring financial institutions to be on the alert for illicit activity. Requirements that a financial institution know its customers can help both to provide better customer service and to prevent that customer from becoming a victim of fraud."
News release: "MANDIANT, the information security industry’s leading provider of incident response and computer forensics services and solutions, today announced formal distribution of its inaugural M-Trends report at the U.S. Department of Defense: Cyber Crime Conference 2010 in St. Louis. M-Trends spans seven years of lessons learned on the front lines of intrusion investigations for the U.S. government, defense industrial base and commercial organizations. The 29-page report details malware capabilities and techniques and other highly complex and sophisticated attack schemes used by the Advanced Persistent Threat (APT) across a breadth of organizations. Content presented in M-Trends has been derived by MANDIANT from unclassified environments and sanitized to protect victim identity and data."
The Comprehensive National Cybersecurity Initiative: "President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, but one that we as a government or as a country are not adequately prepared to counter. Shortly after taking office, the President therefore ordered a thorough review of federal efforts to defend the U.S. information and communications infrastructure and the development of a comprehensive approach to securing America’s digital infrastructure In May 2009, the President accepted the recommendations of the resulting Cyberspace Policy Review, including the selection of an Executive Branch Cybersecurity Coordinator who will have regular access to the President. The Executive Branch was also directed to work closely with all key players in U.S. cybersecurity, including state and local governments and the private sector, to ensure an organized and unified response to future cyber incidents; strengthen public/private partnerships to find technology solutions that ensure U.S. security and prosperity; invest in the cutting-edge research and development necessary for the innovation and discovery to meet the digital challenges of our time; and begin a campaign to promote cybersecurity awareness and digital literacy from our boardrooms to our classrooms and begin to build the digital workforce of the 21st century. Finally, the President directed that these activities be conducted in a way that is consistent with ensuring the privacy rights and civil liberties guaranteed in the Constitution and cherished by all Americans."
News release: "The Federal Trade Commission and other government agencies and national consumer groups are sponsoring the 12th annual National Consumer Protection Week from March 7-13, 2010. The event is a coordinated consumer education campaign that encourages individuals across the country to take full advantage of their consumer rights. This year’s theme, Dollars & Sense: Rated “A” for All Ages, highlights the importance of using good consumer sense at every stage of life, from grade school to retirement. In keeping with the theme, the consumer education campaign features a Web site with a page for kids and parents, as well as games, videos, and links other Web sites that teach practical lessons about the role of business and government in everyday life. The site, www.consumer.gov/ncpw, provides information that encourages people to take full advantage of their consumer rights, and promotes free resources to help people protect their privacy, manage money and debt, avoid identity theft, understand credit and mortgages, and steer clear of frauds and scams."
EPIC: "Ponemon Institute released its annual study identifying the top twenty companies that are most trusted for privacy. American Express was ranked first, earning the Most Trusted for Privacy distinction for the fifth year in a row. Facebook suffered several privacy missteps over the last year, including a recent change in privacy settings at the end of 2009, and as a result, failed to make the 2010 list. Google, however, returned to the Top 20, ranked at 13. The survey also produced significant findings regarding consumer attitudes towards privacy, including the finding that consumers feel they are losing control over their personal information. Further, the responses revealed that consumers’ fear of identity theft is the main factor for brand trust diminishment, while a company’s implementation of privacy features contribute to brand trust. Other significant positive factors were limits on the collection of personal information and online anonymity."
Directive-Type Memorandum (DTM) 09-026 - Responsible and Effective Use of Internet-based Capabilities, February 25, 2010
News release: "NetWitness, the world leader in advanced persistent threat detection and real-time network forensics, announced today that its analysts have discovered a dangerous new ZeuS botnet affecting 75,000 systems in 2,500 organizations around the world. The newly-discovered infestation, dubbed the "Kneber botnet" after the username linking the infected systems worldwide, gathers login credentials to online financial systems, social networking sites and email systems from infested computers and reports the information to miscreants who can use it to break into accounts, steal corporate and government information, and replicate personal, online and financial identities. NetWitness first discovered the Kneber botnet in January during a routine deployment of the NetWitness advanced monitoring solutions. Deeper investigation revealed an extensive compromise of commercial and government systems that included 68,000 corporate login credentials, access to email systems, online banking sites, Facebook, Yahoo, Hotmail and other social networking credentials, 2,000 SSL certificate files, and dossier-level data sets on individuals including complete dumps of entire identities from victim machines."
Security Labs Report Jul 2009-Dec 2009 Recap - "This report has been prepared by the M86 Security Labs team. It covers key trends and developments in Internet security over the last six months, as observed by the security analysts at M86 Security Labs. M86 Security Labs is a group of security analysts specializing in Email and Web threats, from spam to malware.
Key Points of this report:
2010 Identity Fraud Survey Report: Consumer Version
News release: "The Federal Trade Commission today told the U.S. Senate Committee on Commerce, Science and Transportation that the agency has stepped up efforts to protect consumers affected by the economic downtown, and that additional authority would make the agency even more effective. The testimony presented by FTC Chairman Jon Leibowitz described the agency’s efforts to prosecute financial fraud and deception, including working with states to bring hundreds of cases against mortgage relief scams in 2009. The testimony also discussed the FTC’s rulemaking and consumer education initiatives, how additional authority will enhance the agency’s effectiveness, and the FTC’s perspective on recent proposals to create a consumer financial protection agency as part of a broader reform of the financial services regulatory system."
Annual Threat Assessment of the US Intelligence Community for the Senate Select Committee on Intelligence, Dennis C. Blair, Director of National Intelligence, February 2, 2010
The quarterly APWG (AntiPhishing Working Group) Phishing Activity Trends Report analyzes phishing attacks reported to the APWG by its member companies, its Global Research Partners, through the organization’s website and by email submissions. APWG also measures the evolution, proliferation and propagation of crimeware drawing from the research of our member companies. In the last half of this report you will find tabulations of crimeware statistics and related analyses."
News release: Arab States define key ICT development priorities Broadband, digital broadcasting, open source software, Arab digital content and cybersecurity are main objectives. "The Arab States Regional Preparatory Meeting (RPM) for the International Telecommunications Union (ITU) World Telecommunication Development Conference 2010 (WTDC-10) concluded on Tuesday, 19 January in Damascus, Syrian Arab Republic, with delegates reaching consensus on regional strategies to foster the development of information and communication technologies (ICTs)."
News release: "McAfee, Inc. revealed [at the World Economic Forum Annual Meeting 2010] the staggering cost and impact of cyberattacks on critical infrastructure such as electrical grids, oil and gas production, telecommunications and transportation networks. A survey of 600 IT security executives from critical infrastructure enterprises worldwide showed that more than half (54%) have already suffered large scale attacks or stealthy infiltrations from organized crime gangs, terrorists or nation-states. The average estimated cost of downtime associated with a major incident is $6.3 million per day. The report, In the Crossfire: Critical Infrastructure in the Age of Cyberwar, commissioned by McAfee and authored by the Center for Strategic and International Studies (CSIS), also found that the risk of cyberattack is rising. Despite a growing body of legislation and regulation, more than a third of IT executives (37%) said the vulnerability of their sector had increased over the past 12 months and two-fifths expect a major security incident in their sector within the next year. Only 20% think their sector is safe from serious cyberattack over the next five years."
OPNAV NOTICE 5400, January 11, 2010: "Action will establish U. S. Fleet Cyber Command as an echelon II command to serve as the Navy Component Commander to United States Cyber Command upon its establishment. Interim reporting will be to United States Strategic Command. Command will provide for operational employment of the Navy's cyber, network operations, information operations, cryptologic and space forces, and serve as the Navy's Service Cryptologic Component Commander to the National Security Agency. U.S. Tenth Fleet. will be re-commissioned to control operations supporting U. S. Fleet Cyber Command.
Christian Science Monitor: "At least three US oil companies were the target of a series of previously undisclosed cyberattacks that may have originated in China and that experts say highlight a new level of sophistication in the growing global war of Internet espionage. The oil and gas industry breaches, the mere existence of which has been a closely guarded secret of oil companies and federal authorities, were focused on one of the crown jewels of the industry: valuable “bid data” detailing the quantity, value, and location of oil discoveries worldwide, sources familiar with the attacks say and documents obtained by the Monitor show. The companies – Marathon Oil, ExxonMobil, and ConocoPhillips – didn’t realize the full extent of the attacks, which occurred in 2008, until the FBI alerted them that year and in early 2009. Federal officials told the companies proprietary information had been flowing out, including to computers overseas, a source familiar with the attacks says and documents show. The data included e-mail passwords, messages, and other information tied to executives with access to proprietary exploration and discovery information, the source says."
"This 2009 Ponemon Institute 2009 Annual Study: Cost of a Data Breach - Understanding Financial Impact, Customer Turnover, and Preventive Solutions examines the costs incurred by 45 organizations after experiencing a data breach. Results were not hypothetical responses; they represent the cost estimates of activities resulting from the actual data loss incidents. This is the fifth annual survey of this issues. Breaches included in the survey included ranged from approximately 5,000 records to more than 101,000 records from 15 different industry sectors."
Global Risks 2010 - A Global Risk Network Report. A World Economic Forum Report in collaboration with Citi, Marsh & McLennan Companies (MMC), Swiss Re, Wharton School Risk Center, Zurich Financial Services. January 2010.
News release: "McAfee Inc. unveiled its 2010 Threat Predictions report. McAfee Labs believes cybercriminals will target social networking sites and third-party applications, use more complex Trojans and botnets to build and execute attacks, and take advantage of HTML 5 to create emerging threats. McAfee Labs also predicts 2010 will be a good year for law enforcement’s fight against cybercrime...Facebook, Twitter, and third-party applications on these sites are rapidly changing the criminal toolkit, giving cybercriminals new technologies to work with and hot spots of activity that can be exploited. Users will become more vulnerable to attacks that blindly distribute rogue apps across their networks, and cybercriminals will take advantage of friends trusting friends to get users to click on links they might otherwise treat cautiously. The use of abbreviated URLs on sites like Twitter make it even easier for cybercriminals to mask and direct users to malicious Web sites. McAfee Labs predicts that cybercriminals will increasingly use these tactics across the most popular social networking sites in 2010."
Security in the Ether - Information technology's next grand challenge will be to secure the cloud--and prove we can trust it. By David Talbot, Technology Review, January/February 2010 [Dan Mitchel]
News release: "Albert Gonzalez, 28, of Miami, pleaded guilty today to conspiring to hack into computer networks supporting major American retail and financial organizations, and to steal data relating to tens of millions of credit and debit cards, announced Assistant Attorney General of the Criminal Division Lanny A. Breuer, U.S. Attorney for the District of New Jersey Paul J. Fishman, U.S. Attorney for the District of Massachusetts Carmen Milagros Ortiz and Director of the U.S. Secret Service Mark Sullivan. Gonzalez, aka “segvec,” “soupnazi” and “j4guar17,” pleaded guilty to two counts of conspiracy to gain unauthorized access to the payment card networks operated by, among others, Heartland Payment Systems, a New Jersey-based card processor; 7-Eleven, a Texas-based nationwide convenience store chain; and Hannaford Brothers Co. Inc., a Maine-based supermarket chain. The plea was entered in federal court in Boston before U.S. District Court Judge Douglas P. Woodlock. The case is one of the largest data breaches ever investigated and prosecuted in the United States."
News release: "The Federal Trade Commission has launched its Web site and blog for National Consumer Protection Week 2010, which will be held March 7-13. Consumer.gov/ncpw, encourages people to learn about their rights as consumers, and promotes free resources to help them protect their privacy, manage money and debt, avoid identity theft, understand credit and mortgages, and steer clear of frauds and scams. The twelfth annual consumer protection week is a partnership between the FTC and other government agencies and consumer groups. This year’s theme, Dollars & Sense: Rated “A” for All Ages, highlights the importance of using good consumer sense at every stage of life – from grade school to retirement. The site for the event features a page for kids and parents, and highlights games, videos, and other Web sites that teach kids practical lessons about the role of business and government in their everyday lives."
News release: "The Federal Trade Commission today issued a Fraud Forum staff report that examines more effective ways to protect consumers from fraudulent schemes and focus the collective knowledge and experience of forum participants to fight fraud. The February 2009 Forum was attended by academics, consumer advocates, industry representatives, and state and federal law enforcers. The Fraud Forum Report summarizes information presented at the event during panel and small group discussions on a range of issues including: the psychology of scammers and their victims, fraud statistics, under-reported fraud, and the role of private industry in detecting and preventing fraud."
DRAFT Security Requirements for Cryptographic Modules (Revised Draft): "The Revised Draft FIPS 140-3 is the second public draft of NIST’s proposed revision of FIPS 140-2. The Revised Draft was developed using the comments received on the first public draft, which was posted for public review and comment on July 13, 2007, and the FIPS 140-3 Software Security Workshop held on March 18, 2008. While the 2007 Draft proposed 5 levels of security, the Revised Draft FIPS 140-3 reverts to 4 levels of security as currently specified in FIPS 140-2. In contrast to the 2007 Draft, the Revised Draft also reintroduces the notion of firmware cryptographic module and defines the security requirements for it, limits the overall security level for software cryptographic modules to Security Level 2, and removes the formal model requirement at Security Level 4. Differences with the current FIPS 140-2 standard include limiting the overall security level for software cryptographic modules to Security Level 2, requirements for mitigation of non-invasive attacks at higher security levels, elimination of the requirement for formal modeling at Security Level 4, modified conditions for pre-operational/power-on self-tests, and strengthened integrity testing."
News release: "A new booklet released today by the Federal Trade Commission and other government agencies helps parents and teachers steer kids safely through the online and mobile phone worlds. Net Cetera: Chatting with Kids About Being Online was unveiled...by FTC Chairman Jon Leibowitz, U.S. Secretary of Education Arne Duncan, and Federal Communications Commission Chairman Julius Genachowski."
News release: "The Federal Trade Commission has issued a report to Congress examining how the agency has used the expanded law enforcement authority Congress provided in the U.S. SAFE WEB Act to protect American consumers since the Act was signed into law on December 22, 2006. The SAFE WEB Act authorizes the FTC to share information and work cooperatively with foreign law enforcement agencies to protect consumers from cross-border harm."
"The Federal Trade Commission [is hosting] a series of day-long public roundtable discussions to explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data. Such practices include social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The goal of the roundtables is to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation." Via EPIC, The second privacy roundtable will be held on Data Privacy Day - January 28, 2010 - at the University of California, Berkeley School of Law.
Implementing the Obama Cyber Security Strategy via the ISA Social Contract Model: "The Internet Security Alliance (ISA) report aimed at taking the Obama Administration’s Cyberspace Policy Review document to the next level. The report emphasizes the need to focus on the economics of cyber security."
"The United States is increasingly dependent on information and information technology for both civilian and military purposes, as are many other nations. Although there is a substantial literature on the potential impact of a cyberattack on the societal infrastructure of the United States, little has been written about the use of cyberattack as an instrument of U.S. policy. Cyberattacks--actions intended to damage adversary computer systems or networks--can be used for a variety of military purposes. But they also have application to certain missions of the intelligence community, such as covert action. They may be useful for certain domestic law enforcement purposes, and some analysts believe that they might be useful for certain private sector entities who are themselves under cyberattack. This report considers all of these applications from an integrated perspective that ties together technology, policy, legal, and ethical issues. Focusing on the use of cyberattack as an instrument of U.S. national policy, Technology, Policy, Law and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities explores important characteristics of cyberattack. It describes the current international and domestic legal structure as it might apply to cyberattack, and considers analogies to other domains of conflict to develop relevant insights. Of special interest to the military, intelligence, law enforcement, and homeland security communities, this report is also an essential point of departure for nongovernmental researchers interested in this rarely discussed topic."
Global Fraud Report Annual Edition 2009/2010
Evaluation Report, The Department's Unclassified, Cyber Security Program - 2009. DOE/IG-0828 October 2009
News release: "ChoicePoint, Inc., one of the nation’s largest data brokers, has agreed to strengthened data security requirements to settle Federal Trade Commission charges that the company failed to implement a comprehensive information security program protecting consumers’ sensitive information, as required by a previous court order. This failure left the door open to a data breach in 2008 that compromised the personal information of 13,750 people and put them at risk of identify theft. ChoicePoint has now agreed to a modified court order that expands its data security assessment and reporting duties and requires the company to pay $275,000. In April 2008, ChoicePoint (now a subsidiary of Reed Elsevier, Inc.) turned off a key electronic security tool used to monitor access to one of its databases, and for four months failed to detect that the security tool was off, according to the FTC. During that period, an unknown person conducted unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers. The searches continued for 30 days. After discovering the breach, the company brought the matter to the FTC’s attention."
Cyberdeterrence and cyberwar, by Martin C. Libicki: "This monograph presents the results of a fiscal year 2008 study, “Defining and Implementing Cyber Command and Cyber Warfare.” It discusses the use and limits of power in cyberspace, which has been likened to a medium of potential conflict, much as the air and space domains are. The study was conducted to help clarify and focus attention on the operational realities behind the phrase “fly and fight in cyberspace.” The basic message is simple: Cyberspace is its own medium with its own rules. Cyberattacks, for instance, are enabled not through the generation of force but by the exploitation of the enemy’s vulnerabilities. Permanent effects are hard to produce. The medium is fraught with ambiguities about who attacked and why, about what they achieved and whether they can do so again. Something that works today may not work tomorrow (indeed, precisely because it did work today). Thus, deterrence and warfighting tenets established in other media do not necessarily translate reliably into cyberspace. Such tenets must be rethought. This monograph is an attempt to start this rethinking."
National Identity Theft Prevention Week - UK's Fraud Prevention Service resources:
FBI news release: "The largest number of defendants ever charged in a cyber crime case have been indicted in a multinational investigation conducted in the United States and Egypt that uncovered a sophisticated “phishing” operation that fraudulently collected personal information from thousands of victims that was used to defraud American banks. [October 7, 2009], authorities in several United States cities arrested 33 of 53 defendants named in an indictment returned last week by a federal grand jury in Los Angeles. Several defendants charged in the indictment are being sought this morning by law enforcement. Additionally, authorities in Egypt have charged 47 defendants linked to the phishing scheme. The United States government is extremely grateful for the extraordinary assistance provided by the Egyptian government in this matter."
"The U.S. is facing a cyber war. Foreign powers, criminal groups, hackers, and terrorist organizations have launched cyber attacks on the White House, Pentagon, State Department, and New York Stock Exchange; stolen data from the Pentagon’s fighter aircraft; and hacked into the nation’s electrical grid. There were millions of attempts to penetrate defense digital networks in 2008. In 2009, the General Accountability Office reported weaknesses in the capabilities of 23 of 24 federal agencies to detect or prevent cyber attacks. President Obama declared cybersecurity to be one of the nation’s most serious economic and security challenges. The federal government needs a coordinated, sustained effort to build the capability and caliber of the government’s cybersecurity workforce to combat these threats and ensure the nation’s safety. Booz Allen Hamilton and the Partnership for Public Service examined the state of the federal cybersecurity workforce by interviewing federal experts, examining public testimony and reports, holding focus groups, and surveying chief information officers (CIOs), chief information security officers (CISOs), and human resource professionals at 18 federal agencies. Results of this research were published in the study, Cyber In-Security: Strengthening the Federal Cybersecurity Workforce."
National Cybersecurity Awareness Month: "October marks the sixth annual National Cybersecurity Awareness Month sponsored by the Department of Homeland Security. The theme for National Cybersecurity Awareness Month 2009 is “Our Shared Responsibility” to reinforce the message that all computer users, not just industry and government, have a responsibility to practice good “cyber hygiene” and to protect themselves and their families at home, at work and at school. Americans can follow a few simple steps to keep themselves safe online. By doing so, you will not only keep your personal assets and information secure but you will also help to improve the overall security of cyberspace."
In following this January 9, 2009 memo, Legal Issues Relating to the Testing, Use and Deployment of an Intrusion-Detection System (EINSTEIN 2.0) to Protect Unclassified Computer Networks in the Executive Branch, this DOJ memo released September 18, 2009: Legality of Intrusion-Detection System To Protect Unclassified Computers Networks In Executive Branch - "Operation of the EINSTEIN 2.0 intrusion-detection system complies with the Fourth Amendment to the Constitution, title III of the Omnibus Crime Control and Safe Streets Act of 1968, the Foreign Intelligence Surveillance Act, the Stored Communications Act, and the pen register and trap and trace provisions of chapter 206 of title 18, United States Code, provided that certain log-on banners or computer-user agreements are consistently adopted, implemented, and enforced by executive departments and agencies using the system. Operation of the EINSTEIN 2.0 system also does not run afoul of state wiretapping or communications privacy laws."
"reCAPTCHA is a free CAPTCHA service that helps to digitize books, newspapers and old time radio shows...A CAPTCHA is a program that can tell whether its user is a human or a computer. You've probably seen them — colorful images with distorted text at the bottom of Web registration forms. CAPTCHAs are used by many websites to prevent abuse from "bots," or automated programs usually written to generate spam. No computer program can read distorted text as well as humans can, so bots cannot navigate sites protected by CAPTCHAs."
News release: "Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, ID-Conn., and Ranking Member Susan Collins, R-Me., Sunday said the latest trend in cybercrime is directed at small to medium sized companies that have been robbed of both data and dollars...The thieves steal in amounts under $10,000 to avoid triggering a bank report required by anti-money laundering law. The malware is so well written that the traffic seems to be coming from an authorized computer – and possibly is a legitimate computer that has been commandeered. The money is then transferred to “money mules” who may have been recruited over internet job boards or who have posted resumes on a job listing serviceThe Committee will hold a hearing September 14, 2009, Cyber Attacks: Protecting Industry Against Growing Threats, to examine this new trend, and the Senators plan to introduce broad cyber security legislation later this fall that will improve cyber security in the private sector."
Follow up to August 1, 2009 posting - Alleged International Hacker Indicted for Massive Attack on U.S. Retail and Banking Networks - today's news release: "An international computer hacker pleaded guilty today to multiple charges relating to hacking activity and credit card fraud, announced Assistant Attorney General of the Criminal Division Lanny A. Breuer, Acting U.S. Attorney for the District of Massachusetts Michael Loucks, U.S. Attorney for the Eastern District of New York Benton J. Campbell and Director of the U.S. Secret Service Mark Sullivan. More than 40 million credit and debit card numbers were stolen from major U.S. retailers as a result of the hacking activity. Albert Gonzalez, 28, of Miami, pleaded guilty today to 19 counts of conspiracy, computer fraud, wire fraud, access device fraud and aggravated identity theft relating to hacks into numerous major U.S. retailers including TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority. Gonzalez was indicted in August 2008 in the District of Massachusetts on charges related to these hacks."
"PandaLabs issued a release on the proliferation of identity theft malware during times of economic crisis. Our research found that the number of users affected by malware designed for identity theft has increased 600 percent this year compared to the same time in 2008. PandaLabs receives nearly 37,000 samples of new viruses, worms, Trojans and other types of Internet threats each day. Of these, 71 percent are Trojans, mostly aimed at stealing bank details or credit card numbers, as well as passwords for other commercial services. Between January and July 2009, PandaLabs received 11 million new threats, approximately 8 million of which were Trojans. This is in clear contrast, for example, to the average of 51 percent of new Trojans that PandaLabs received in 2007."
News release: "Albert Gonzalez, 28, of Miami, Fla., was indicted today for conspiring to hack into computer networks supporting major American retail and financial organizations, and stealing data relating to more than 130 million credit and debit cards, announced Assistant Attorney General of the Criminal Division Lanny A. Breuer, Acting U.S. Attorney for the District of New Jersey Ralph J. Marra Jr. and U.S. Secret Service Assistant Director for Investigations Michael Merritt...The indictment, which details the largest alleged credit and debit card data breach ever charged in the United States, alleges that beginning in October 2006, Gonzalez and his co-conspirators researched the credit and debit card systems used by their victims; devised a sophisticated attack to penetrate their networks and steal credit and debit card data; and then sent that data to computer servers they operated in California, Illinois, Latvia, the Netherlands and Ukraine. The indictment also alleges Gonzalez and his co-conspirators also used sophisticated hacker techniques to cover their tracks and to avoid detection by anti-virus software used by their victims."
Remarks by Secretary Napolitano at the Global Cyber Security Conference, August 4, 2009: "We have to look at the landscape now; but, more important, we have to—I think—acknowledge amongst ourselves that in terms of cybersecurity we've been living in a cyber 1.0 world and we need to be cyber 3.0 and beyond. Because the minute we start talking about a particular methodology of cyber the cyber bad guys are already moving ahead. This is a very, very rapidly evolving environment in which real crime and real damage can occur."
News release: "The Federal Trade Commission testified today before the U.S. Senate on its efforts to combat deceptive advertising in the face of rapid changes in health care, technology, and online marketing strategies. In testimony before the Senate Committee on Commerce, Science, and Transportation’s Subcommittee on Consumer Protection, Product Safety, and Insurance, David Vladeck, Director of the FTC’s Bureau of Consumer Protection, described the Commission’s recent law enforcement and regulatory efforts addressing deceptive advertising."
News release: Javelin Strategy & Research released its Fifth Annual Card Issuers’ Identity Safety Scorecard, which analyzes the top 25 U.S. card issuers’ capabilities for protecting customers from identity fraud. To compile the report, Javelin incorporated data from annual household, consumer, and issuer surveys using Javelin’s Prevention, Detection and Resolution™ criteria to accurately reflect customer demands and trends in how issuers protect against fraud. The Javelin scorecard is a structured assessment of each issuer’s fraud protection services. The scorecard ranks features that best empower two major victims of the nation’s $48B identity fraud problem—cardholders and issuers—showing how to turn the tables on a worrying method of crime."
News release: "The Federal Trade Commission testified before the U.S. Senate today on the agency’s campaign to crack down on scammers who are trying to take advantage of the economic downturn to push a variety of scams, such as phony job-placement and debt-reduction services, get-rich-quick schemes, and bogus government grants...In response to the rise in financial distress scams, on July 1, 2009, the Commission announced “Operation Short Change,” a joint initiative with 14 states, the Department of Justice, and other agencies that included more than 120 law enforcement actions."
PBS.org FRONTLINE - Ghana, Digital Dumping Ground: "When containers of old computers first began arriving in West Africa a few years ago, Ghanaians welcomed what they thought were donations to help bridge the digital divide. But soon exporters learned to exploit the loopholes by labeling junk computers "donations"...[What is on the hard drives from this junk PCs'?] There is private financial data...credit card numbers, account information, records of online transactions the original owners may not have realized were even there. Ghana is listed by the U.S. State Department as one of the top sources of cyber crime in the world. And it's not just individuals who are exposed. One of the drives the team has purchased contains a $22 million government contract. It turns out the drive came from Northrop Grumman, one of America's largest military contractors. And it contains details about sensitive, multi-million dollar U.S. government contracts. They also find contracts with the defense intelligence agency, NASA, even Homeland Security."
News release: "The Federal Trade Commission today announced a law enforcement crackdown on scammers trying to take advantage of the economic downturn to bilk vulnerable consumers through a variety of schemes, such as promising non-existent jobs; promoting overhyped get-rich-quick plans, bogus government grants, and phony debt-reduction services; or putting unauthorized charges on consumers’ credit or debit cards. Dubbed “Operation Short Change,” the law enforcement sweep announced today includes 15 FTC cases, 44 law enforcement actions by the Department of Justice, and actions by at least 13 states and the District of Columbia."
U.S. Department of Education, Office of Inspector General, Information Technology Audits Division - Incident Handling and Privacy Act Controls over External Web Sites, Final Audit Report, Redacted, ED-OIG/A11I0006, June 10, 2009.
"Corporate websites generally offer more innovative features than public-sector sites, largely because the private sector spends about a third more on websites, according to a Brookings Institution study, Comparing Technology Innovation in the Private and Public Sectors. The study, released in mid-June, compares the websites of leading U.S. corporations with state and national governments, grades their overall performance, and examines nearly two dozen features of digital innovation.
Using a 100-point scale, the study report concludes that corporations have the most innovative websites (65 points) and are trailed as a group by state government (54) and federal government (51). The top-rated site in the federal government category, USA.gov (92), equaled the score for the top-rated corporate site, WellsFargo.com. Other top-rated federal sites were USDA.gov, GSA.gov, USPS.com, IRS.gov, and ED.gov. Delaware.gov (83.7) was the top-rated state site, followed by the official websites of Georgia, Florida, California, Massachusetts and Maine. The report also revealed that public websites provide more security and are better at protecting privacy. Although federal government websites were the most accessible to users with disabilities, 75% percent of its websites were not completely accessible."
WSJ: "Defense Secretary Robert Gates created a new military command dedicated to cyber security on Tuesday, reflecting the Obama administration's plans to centralize and elevate computer security as a major national-security issue. In a memo to senior Pentagon officials, Mr. Gates said he intends to recommend that Lt. Gen. Keith Alexander, director of the National Security Agency, take on the additional role as commander of the Cyber Command with the rank of a four-star general."
2009 Trust, Security & Passwords Survey Research Brief: "This global "snooping" survey is the third in a series of benchmark studies focused on identifying security and privacy trends among IT workers. Results are intended to raise awareness about the risks associated with powerful, and often unmanaged, privileged users and passwords. While seemingly innocuous, these accounts provide workers with "keys to the kingdom," allowing them to access critically sensitive information, no matter where it resides."
News release: "Six federal agencies issued a set of frequently asked questions (FAQs) today to help financial institutions, creditors, users of consumer reports, and issuers of credit cards and debit cards comply with federal regulations on identity theft and discrepancies in changes of address. The “Red Flags and Address Discrepancy Rules,” which implement sections of the Fair and Accurate Credit Transactions Act of 2003, were issued jointly on November 9, 2007, by the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), and Federal Trade Commission (FTC)."
News release: "A rogue Internet Service Provider that recruits, knowingly hosts, and actively participates in the distribution of spam, child pornography, and other harmful electronic content has been shut down by a district court judge at the request of the Federal Trade Commission. The ISP’s upstream providers and data centers have disconnected its servers from the Internet."
White House: Securing Our Digital Future, Melissa Hathaway, Cybersecurity Chief at the National Security Council, discusses securing our nation's digital future.
"NIST announces that its working definition of cloud computing is available. Researchers worked in collaboration with industry and government to draft the definition that serves as a foundation for its research and future publication on the topic. Cloud computing is a pay-per-use model for enabling available, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. Researchers are studying cloud architectures, economics, security and deployment strategies for the federal government."
News release: " The Online Trust Alliance (OTA) gave leading government agencies and online retailers a failing grade in preventing deceptive email and phishing scams based on its newly released analysis of email authentication adoption. While adoption has grown over the past year, OTA found approximately 56 percent of the top .gov sites – including Whitehouse.gov, FBI.gov, Treasury.gov and DHS.gov – still are not protecting U.S. citizens through the use of email authentication. At the same time, progress has been made by other government agencies including the Census Bureau, CIA, FDIC, VA and FTC."
News release: "...the Online Trust Alliance (OTA) released its 2009 draft Online Trust Principles for public comment. The Principles are a major step toward establishing business practices that afford greater consumer online protection and the long term vitality of online commence and interactive marketing."
"The Symantec Internet Security Threat Report offers analysis and discussion of threat activity over a one-year period. It covers Internet threat activities, vulnerabilities, malicious code, phishing, spam and security risks as well as future trends. The fourteenth version of the report, released April 14, 2009, is now available."
"Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials...But protecting the electrical grid and other infrastructure is a key part of the Obama administration's cybersecurity review, which is to be completed next week. Under the Bush administration, Congress approved $17 billion in secret funds to protect government networks, according to people familiar with the budget. The Obama administration is weighing whether to expand the program to address vulnerabilities in private computer networks, which would cost billions of dollars more. A senior Pentagon official said Tuesday the Pentagon has spent $100 million in the past six months repairing cyber damage."
National Academies Press, prepublication: Sustainable Critical Infrastructure Systems: A Framework for Meeting 21st Century Imperatives, 2009.
Follow up to April 5, 2009 posting Senate Staff Working Draft of Cybersecurity Act of 2009, see this related CRS report: Comprehensive National Cybersecurity Initiative (CNCI): Legal Authorities and Policy Considerations, March 10, 2009
CDT: "A cybersecurity bill introduced April 01, 2009 in the Senate would give the federal government extraordinary power over private sector Internet services, applications and software. The Cybersecurity Act of 2009 would, for example, give the President unfettered power to shut down Internet traffic in emergencies or disconnect any critical infrastructure system or network on national security grounds. The bill would grant the Commerce Department the ability to override all privacy laws to access any information about Internet usage in connection with a new role in tracking cybersecurity threats. The bill, introduced by Sens. John Rockefeller and Olympia Snowe, would also give the government unprecedented control over computer software and Internet services, threatening innovation, freedom and privacy. CDT President and CEO Leslie Harris said, "The cybersecurity threat is real, but such a drastic federal intervention in private communications technology and networks could harm both security and privacy."
"In December 2003, the Internet Fraud Complaint Center (IFCC) was renamed the Internet Crime Complaint Center (IC3) to better reflect the broad character of such criminal matters having a cyber (Internet) nexus. The 2008 Internet Crime Report is the eighth annual compilation of information on complaints received and referred by the IC3 to law enforcement or regulatory agencies for appropriate action. From January 1, 2008 – December 31, 2008, the IC3 website received 275,284 complaint submissions. This is a (33.1%) increase when compared to 2007 when 206,884 complaints were received. These filings were composed of complaints primarily related to fraudulent and non-fraudulent issues on the Internet."
WSJ: "The government's coordinator for cybersecurity programs has quit, criticizing what he described as the National Security Agency's grip on cybersecurity. Rod Beckstrom, a former Silicon Valley entrepreneur, said in his resignation letter that the NSA's central role in cybersecurity is "a bad strategy" because it is important to have a civilian agency taking a key role in the issue. The NSA is part of the Department of Defense."
"The Federal Trade Commission released the list of top consumer complaints received by the agency in 2008. The list, contained in the publication Consumer Sentinel Network Data Book for January-December 2008, showed that for the ninth year in a row, identity theft was the number one consumer complaint category. Of 1,223,370 complaints received in 2008, 313,982 – or 26 percent – were related to identity theft."
Data Loss Risks During Downsizing As Employees Exit, so does Corporate Data, February 23, 2009
News release: "President Obama has directed the National Security and Homeland Security Advisors to conduct an immediate review of the plan, programs, and activities underway throughout the government dedicated to cyber security. This 60-day interagency review will develop a strategic framework to ensure that U.S. Government cyber security initiatives are appropriately integrated, resourced and coordinated with Congress and the private sector. "The national security and economic health of the United States depend on the security, stability, and integrity of our Nation’s cyberspace, both in the public and private sectors. The President is confident that we can protect our nation’s critical cyber infrastructure while at the same time adhering to the rule of law and safeguarding privacy rights and civil liberties," said Assistant to the President for Counterterrorism and Homeland Security John Brennan. Melissa Hathaway, who has served as Cyber coordination Executive to the Director of National Intelligence, will lead the review and will serve as Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils during the review period."
News release: "...experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime. Shockingly, most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale. The impact of these errors is far reaching. Just two of them led to more than 1.5 million web site security breaches during 2008 - and those breaches cascaded onto the computers of people who visited those web sites, turning their computers into zombies."
The Top 25 Errors are listed below in three categories:
"The Global state of information security survey 2008 is a worldwide security survey by PricewaterhouseCoopers, CIO Magazine and CSO Magazine. It was conducted online from March 25 to June 26, 2008. Readers of CIO and CSO Magazines and clients of PricewaterhouseCoopers from around the globe were invited via email to take the survey. The results discussed in this report are based on the responses of more than 7,000 CEOs, CFOs, CIOs, CSOs, vice presidents and directors of IT and information security from 119 countries. Thirty-nine percent (39%) of respondents were from North America, twenty-seven percent (27%) from Europe, seventeen percent (17%) from Asia, fifteen percent (15%) from South America, and two percent (2%) from the Middle East and South Africa."
News release: "Reports of data breaches increased dramatically in 2008. The Identity Theft Resource Center's 2008 breach report reached 656 reported breaches at the end of 2008, reflecting an increase of 47% over last year’s total of 446. In terms of sub-divisions by type of entity, the rankings have not changed between 2007 and 2008 within the five groups that ITRC monitors. The financial, banking and credit industries have remained the most proactive groups in terms of data protection over all three years. The Government/Military category has dropped nearly 50% since 2006, moving from the highest number of breaches to the third highest."
"Thirty privacy, consumer, and civil liberties organizations sent a letter to President-elect Barack Obama on the importance of protecting privacy in the next administration. The organizations support the incoming president’s expressed on privacy, consumer rights, and civil liberties. President-elect Obama stated support for strengthening of privacy protection by harnessing the power of technology to hold government and businesses accountable for violations of personal privacy. The coalition said that “[t]here is a clear need to address the spiraling problems of identity theft, security breaches, and the commercialization of personal information.” For more information visit EPIC’s A-Z Privacy Page."
News release: "The Federal Trade Commission issued a report today recommending five measures to help prevent Social Security numbers from being used for identity theft. Principal among the report’s recommendations is that Congress consider taking action to strengthen the procedures that private-sector organizations use to authenticate their customers’ identities...The FTC report states that adopting nationwide standards for how businesses and other organizations verify the identity of new and existing customers would make it harder for identity thieves to use SSNs and other stolen information to consummate their fraud...The FTC report also recommends that steps be taken to reduce the unnecessary display and transmission of SSNs, but noted that such restrictions must be approached carefully. A number of important functions in the U.S. economy depend on use of and access to SSNs, and the report concluded that overly restrictive attempts to limit the availability of SSNs could unintentionally curtail those functions. Finally, the report recommends steps to improve data security, increase outreach to consumers and businesses on the protection of SSNs, and enhance coordination and information-sharing among organizations that routinely use SSNs."
"The Center for Strategic and International Studies (CSIS) Commission on Cybersecurity for the 44th Presidency has released its final report, Securing Cyberspace for the 44th Presidency. The Commission’s three major findings are: cybersecurity is now one of the major national security problems facing the United States; decisions and actions must respect American values related to privacy and civil liberties; and only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will improve the situation."
From the ICC Commercial Crime Services (CCS) - "the anti-crime arm of the International Chamber of Commerce": Live Piracy Map 2008 - "This map shows all the piracy incidents reported by the IMB Piracy Centre in Kuala Lumpur during 2008. Please click on the pins for more details of the specific incident or zoom in for more accurate location information."
Online Threats to Youth: Solicitation, Harassment, and Problematic Content, Literature Review by the Research Advisory Board of the Internet Safety Technical Task Force, Andrew Schrock and Danah Boyd, Berkman Center for Internet & Society, Harvard University, Draft Version. November 14, 2008
Worldwide Infrastructure Security Report, Volume III: "Arbor Networks®, Inc., in cooperation with the Internet security operations community, has completed the third edition of an ongoing series of annual operational security surveys. This survey, covering a 12-month period from July 2006 through June 2007, is designed to provide data useful to network operators so that they can make informed decisions about their use of network security technology to protect their mission-critical infrastructures. It is also meant to serve as a general resource for the Internet operations and engineering community, recording information on trends and employment of various infrastructure security techniques."
Spamalytics: An Empirical Analysis of Spam Marketing Conversion, October 2008 - Chris Kanich, Christian Kreibich, Kirill Levchenko, Brandon Enright, Geoffrey M. Voelker, Vern Paxson† Stefan Savage
News release: "The total number of breaches in on the Identity Theft Resource Center’s 2008 breach list surpassed the final total of 446 reported in 2007, more than 4 months before the end of 2008. As of 9:30 a.m. August 22nd, the number of confirmed data breaches in 2008 stood at 449. The actual number of breaches is most likely higher, due to under-reporting and the fact that some of the breaches reported, which affect multiple businesses, are listed as single events. In the last few months, two subcontractors became examples of these “multiple” events. In one case, the customers and/or employees of at least 20 entities were affected by a breach that the ITRC reported as a single breach event."
Office of Science and Technology Policy (OSTP) in the Executive Office of the President - Identity Management Task Force Report 2008, released September 2008
News release: "Attorney General Michael B. Mukasey and Federal Trade Commission Chairman William E. Kovacic announced today the release of a report from the President’s Identity Theft Task Force on progress the federal government has made in addressing identity theft since the Task Force’s Strategic Plan was released last year. Highlights of the report include expansion of the Task Force’s data security and identity theft business and consumer education campaigns; exploring means of improving consumer authentication processes to prevent the use of stolen information to commit identity theft; launching new initiatives to help identity theft victims recover; and improving law enforcement tools to investigate and prosecute identity thieves."
FOX News: "The World Bank Group's computer network — one of the largest repositories of sensitive data about the economies of every nation — has been raided repeatedly by outsiders for more than a year, FOX News has learned. It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution's highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank's network for nearly a month in June and July. In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month.
In a frantic midnight e-mail to colleagues, the bank's senior technology manager referred to the situation as an "unprecedented crisis." In fact, it may be the worst security breach ever at a global financial institution. And it has left bank officials scrambling to try to understand the nature of the year-long cyber-assault, while also trying to keep the news from leaking to the public."
News release: "Online scammers are taking advantage of tough economic times. While e-mails phishing for sensitive data are nothing new, scammers are taking advantage of upheavals in the financial marketplace to confuse consumers into parting with valuable personal information. The Federal Trade Commission urges caution regarding e-mails that look as if they come from a financial institution that recently acquired a consumer’s bank, savings and loan, or mortgage. In fact, these messages may be from “phishers” looking to use personal information – account numbers, passwords, Social Security numbers – to run up bills or commit other crimes in a consumer’s name. Consumers are warned not to take the bait. The FTC has advice about how to stay on guard against this type of scam. To learn more, see the consumer alert Bank Failures, Mergers and Takeovers: A ‘Phish-erman’s Special.
News release: "The Federal Trade Commission’s Web site that helps consumers stay on guard against Internet fraud is revamping to provide extra tools for cyber safety. The FTC’s announcement of the newly designed and improved site comes on the first day of October, which is National Cyber Security Awareness Month. Since the September 2005 launch of www.OnGuardOnline.gov and its Spanish-language counterpart, www.AlertaEnLínea.gov, more than 8.1 million visitors have learned about computer security at these sites. Now, with the help of 22 federal agencies, industry organizations, and non-profit groups, the FTC has introduced a variety of new features to help consumers avoid Internet fraud, secure their computers, and protect their personal information...The articles, games, and videos on the site provide information on 16 topics, including social networking, phishing, spam scams, and laptop security."
The Federal Energy Regulatory Commission's Unclassified Cyber Security Program - 2008, DOE/IG-0802 September 2008
Cybercrime against Businesses, 2005: "Presents the nature and prevalence of computer security incidents among 7,818 businesses in 2005. This is the first report to provide data on monetary loss and system downtime resulting from cyber incidents. It examines details on types of offenders, reporting of incidents to law enforcement, reasons for not reporting incidents, types of systems affected, and the most common security vulnerabilities. The report also compares in-house security to outsourced security in terms of prevalence of cyber attacks. Appendix tables include industry-level findings."
News release: "...today's topic is going to cover a different kind of vulnerability, not the vulnerability to identity but the vulnerability to the physical world in which we operate. That is our critical infrastructure. And I want in particular to talk about how these vulnerabilities look to me as we enter the 21st century, and what we have to do to reduce the risk to our critical infrastructure in the years to come."
Cyber Security Tip ST05-018 - Understanding Voice over Internet Protocol (VoIP): "Because VoIP relies on your internet connection, it may be vulnerable to any threats and problems that face your computer. The technology is still new, so there is some controversy about the potential for attack, but VoIP could make your telephone vulnerable to viruses and other malicious code. Attackers may be able to perform activities such as intercepting your communications, eavesdropping, conducting effective phishing attacks by manipulating your caller ID, and causing your service to crash. Activities that consume a large amount of network resources, like large file downloads, online gaming, and streaming multimedia, will also affect your VoIP service."
Threats to Internet Routing and Global Connectivity, 20th Annual FIRST Conference, Vancouver, British Columbia Canada, June 2008 (69 page presentation) includes discussion of the following topics:
News release: "Today, the total number of breaches in on the Identity Theft Resource Center’s (ITRC) 2008 breach list surpassed the final total of 446 reported in 2007, more than 4 months before the end of 2008. As of 9:30 a.m. August 22nd, the number of confirmed data breaches in 2008 stood at 449. The actual number of breaches is most likely higher, due to under-reporting and the fact that some of the breaches reported, which affect multiple businesses, are listed as single events. In the last few months, two subcontractors became examples of these “multiple” events. In one case, the customers and/or employees of at least 20 entities were affected by a breach that the ITRC reported as a single breach event....Breaches: 449 Exposed: 22,091,338."
News release: "Secretary Chertoff spoke on the balance between privacy and secure identity August 13 at the University of Southern California National Center for Risk and Economic Analysis of Terrorism Events. He addressed crimes involving identity theft, and talked about identity validation and authentication, the associated financial costs, the effect on illegal workers, the universe of tools available for identity management, and possible solutions that address the concerns of privacy advocates."
News release: "State attorneys general received thousands of consumer complaints of online fraud and abuse in 2006 and 2007 and yet, with the exception of several notable standouts, brought few significant cases in response, according to a report released today from the Center for American Progress and the Center for Democracy and Technology, Online Consumers at Risk and the Role of State Attorneys General."
Official Google Enterprise Blog: "In July, our Postini datacenters saw the biggest volume of email virus attacks so far in 2008, with a peak of nearly 10 million messages on July 24. One of the more prominent attacks in the month involved a spoofed UPS package-tracking link that was intended to lure recipients into clicking on it and downloading malware. Our zero-hour virus protection technology first started catching these emails on July 20."
M-08-21, FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (July 14, 2008) (43 pages)
News release: "The Federal Trade Commission today released a staff report on a Roundtable Discussion on Phishing Education that it hosted in April. Approximately 60 experts from business, government, the technology sector, the consumer advocacy community, and academia met at the FTC to discuss strategies for outreach to consumers about avoiding phishing. Phishers use deceptive spam that appears to come from legitimate, well-known sources to trick consumers into divulging sensitive or personal information, such as credit account numbers or passwords, often through a link to a copycat of the purported source’s Web site."
Federal Trade Commission: "Financial institutions and creditors are now required to develop and implement written identity theft prevention programs under the new Red Flags Rules.
The Red Flags Rules are part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. Under these Rules, financial institutions and creditors with covered accounts must have identity theft prevention programs in place by November 1, 2008, to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.
The Commission staff is launching an outreach effort to explain the Rules in greater detail. It has now published a general alert on what the Rules require, and, in particular, an explanation of which businesses - financial institutions and creditors - are covered by the Rules."
News release: "The Federal Trade Commission plans to study the experiences of identity theft victims by conducting a survey of consumers who contacted the FTC after they were victimized. The proposed survey will examine the remedies available to victims under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Among other things, the FACT Act gave consumers the right to place fraud alerts on their credit files if they are, or suspect they may become, victims of identity theft; block information on their credit reports that resulted from identity theft; and obtain copies of their credit reports free of charge. The survey will seek information from identity theft victims who contacted the FTC between January 1 and May 30, 2008, and will inquire about their experiences when they contacted one or more credit reporting agencies and when they sought to use their FACT Act rights. The survey results will help guide the FTC’s efforts to enforce the law and educate consumers and the consumer reporting industry about their rights and duties."
News release: "The ITRC Breach Report total has reached an all-time high. Between January 1st and June 27th, the total number of data breaches recorded by the ITRC is 342, more than 69% greater than the same time period in 2007. The actual number of breaches is likely even higher, due to underreporting and the fact that some of the breaches reported as a single event actually affected multiple businesses.
The ITRC Breach Report sub-divides all breaches into five categories. To date, the 2008 ITRC Breach Stats Report indicates the following: 17.0% government/military agencies, 21.3% from educational institutions, 36.8% from general businesses, 14.9% from health care facilities / companies, and 10% from banking / credit / financial services entities.
Click here for the 2008 ITRC Breach report. Click here for the 2008 ITRC Breach Stats Report broken down by categories which includes the percentages for each category (business, financial/credit, educational, governmental/military and health care). Please check regularly as this list is updated weekly.
A Guide to Protecting Your Identity Online, Rosemary Haworth, PC Advisor
Identity Theft: The Aftermath 2007. Conducted by the Identity Theft Resource Center® (ITRC) With comparisons to The Aftermath 2003, 2004, 2005, 2006 Surveys.
News release: "The Federal Trade Commission...told the Senate Committee on Commerce, Science, and Transportation that “legislation authorizing the Commission to seek civil penalties in spyware cases could add a potent remedy to those otherwise available to the Commission.” In testimony to the Committee, Eileen Harrington, Deputy Director of the FTC’s Bureau of Consumer Protection, said that when other enforcement options – seeking consumer redress or making the operators give up their ill-gotten gains – are not appropriate or sufficient remedies to deter spyware distributors, “a civil penalty may be the most appropriate remedy and serve as a strong deterrent.” The testimony states that the agency supports legislation that would provide “the Commission this valuable law enforcement tool.”
OIG: The Social Security Administration's Internal Use of Employees' Social Security Numbers. A-13-07-27164 06/09/08
Do Data Breach Disclosure Laws Reduce Identity Theft? Sasha Romanosky, Rahul Telang, Alessandro Acquisti, Heinz School of Public Policy and Management, Carnegie Mellon University
Akamai, 1st Quarter 2008 - The State of the Internet Report.
"During the first quarter, Akamai observed attack traffic originating from 125 unique countries around the world. China and the United States were the two largest attack traffic sources, accounting for some 30% of this traffic in total. Akamai observed attack traffic targeted at 23 unique network ports. Many of the ports that saw the highest levels of attack traffic were targeted by worms, viruses, and bots that spread across the Internet several years ago. A number of major network “events” occurred during the first quarter that impacted millions of Internet users. Cable cuts in the Mediterranean Sea severed Internet connectivity between the Middle East and Europe, drastically slowing communications. Cogent’s de-peering of Telia
impacted Internet communications for selected Internet users in the United States and Europe for a two-week period. A routing change by Pakistan Telecom that spread across the Internet essentially took YouTube, a popular Internet video sharing site, offline for several hours.
Via Google Blogoscoped, "Google [has a] malware diagnosis service; just append any domain – your domain or another site you want to check on – to the end of the URL google.com/safebrowsing/diagnostic?site=, or paste a domain in the box below, and you will find an overview page listing potential problems like trojans or exploits (or the result may be telling you the site is OK)."
Chairman Kelliher testified before the House Homeland Security Committee, Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology on Implications of Cyber Vulnerabilities on the Resiliency and Security of the Electric Grid
Yahoo Search Blog: "Today, we're announcing the beta release of SearchScan, a new feature from Yahoo! Search that helps protect users from viruses, spyware and spam. We've heard from users that security and privacy continue to be major concerns when they are online. We've also learned that solutions that require downloads and constant updating are less than ideal. To tackle the problem, we partnered with McAfee to build a feature that provides a safer and hassle-free search experience to all users...How does it work? SearchScan leverages McAfee's SiteAdvisor technology to alert users if risky websites appear in Yahoo! Search results. Starting today, SearchScan will be turned on by default for all users in the U.S., Canada, UK, France, Italy, Germany, Australia, New Zealand, and Spain..."
European Digital Rights: "The European Ministers of Justice and Internal Affairs have agreed to make publishing bomb-making instructions on the Internet a crime...Justice and interior ministers from the EU member states backed a proposal from Commissioner Frattini to harmonise the normative acts that will make the "public provocation to commit a terrorist offence, recruitment, and training for terrorism" a crime. According to the statements of the EU officials publishing these acts on the Internet completed the European legislation in this domain. They described the Internet as "a virtual training camp for militants, used to inspire and mobilise local groups." Gilles de Kerchove, the EU anti-terrorism co-ordinator, declared that there are approx. 5,000 websites that are used to radicalise young people."
EPIC: "The International Working Group On Data Protection in Telecommunications has released a report and guidance (pdf) on privacy in social networking services. The report identifies risks to privacy and security, and provides guidance to regulators, service operators and users to counter these risks. Risks include the large amount of data collection; the misuse of profile data by third parties; insecure infrastructure and application programming interfaces. Regulators should ensure openness, and oblige data breach notification. Providers must be transparent; live up to promises made to users; and use privacy friendly defaults. Privacy and consumer groups are also
recommended to raise the awareness of regulators, providers and the general public."
The Inspectors General, Journal of Public Inquiry Fall/Winter 2007/08 (96 pages, PDF)
Inadequate Security Controls Over Routers and Switches Jeopardize Sensitive Taxpayer Information, March 26, 2008. Reference Number: 2008-20-071
News release: "According to the 2007 Internet Crime Report, the Internet Crime Complaint Center (IC3) received 206,884 complaints of crimes perpetrated over the Internet during 2007. Of the complaints received, more than 90,000 were referred to law enforcement around the nation, amounting to nearly $240 million in reported losses. This represents a $40 million increase in reported losses from complaints referred to law enforcement in 2006. All complaints received by IC3 are accessible to federal, state, and local law enforcement to support active investigations, trend analysis, and public outreach and awareness efforts."
News release: "The Federal Trade Commission has released three 60-second videos to help alert consumers to phishing scams. Phishing uses deceptive spam to trick consumers into divulging sensitive or personal information, including credit card numbers and other financial data, through an email or a link to a “copycat” site. The goal of the videos is to offer practical, useful, and memorable messages. The videos are the newest tool on OnGuardOnline.gov, the agency’s multimedia initiative to help consumers be on guard against Internet fraud, secure their computers, and protect their personal information. The award-winning site features tips, articles, how-to videos, interactive quizzes, and tutorials in English and Spanish. The new videos also will be featured on YouTube and on the FTC Web site here."
Cybercrime Legislation - Country profiles: "These profiles have been prepared within the framework of the Council of Europe’s Project on Cybercrime in view of sharing information on cybercrime legislation and assessing the current state of implementation of the Convention on Cybercrime under national legislation. They do not necessarily reflect official positions of the countries covered or of the Council of Europe."
News release: "In the FTC’s action against data brokers Reed Elsevier (REI) and Seisint, the complaint alleges that REI - through its LexisNexis data broker business - and Seisint collect and store in databases information about millions of consumers, including names, current and prior addresses, dates of birth, drivers license numbers and Social Security numbers. They obtain information about consumers from credit reporting agencies and other sources, and sell products customers use online to find and retrieve the information from their databases. The companies relied on user IDs and passwords (or “user credentials”) to control customer access to consumer information in their databases."
"The Financial Action Task Force (FATF) is an inter-governmental body whose purpose is the development and promotion of national and international policies to combat money laundering and terrorist financing."
Exclusive TowerGroup Research Report: Bank Tech Spending in 2008: "Though banks’ IT budgets are likely to shrink if economic conditions worsen, demand for technologies that improve efficiency and integration, client engagement, and security and fraud management will continue, according to TowerGroup research."
U.S. Department of Energy, Office of Inspector General, Office of Audit Services, Audit Report, Management of the Department's Publicly Accessible Websites, March 2008.
Press release: "...AirTight® Networks, the global leader for wireless intrusion prevention systems...issued the findings from its study to assess information security risk exposure of laptop users at fourteen airports in the United States, Canada and Asia. The company set out to understand the risks to business travelers and their corporate networks of data leakage while those airline passengers are sending sensitive information using unsecured wireless access points while at the airports. It found surprising results, however, regarding the security posture of private Wi-Fi networks in these airports as well as the rapid spread of viral Wi-Fi networks.
One of the most surprising findings of this initial study was that some ticketing systems, baggage systems, shops and restaurants were using open or poorly secured wireless networks. Of the Wi-Fi networks detected by AirTight researchers, 77 percent were non-hotspot (i.e. private) networks and of those, 80 percent were unsecured or using legacy WEP encryption, a fatally flawed protocol. Based on detailed analysis of these access points, there is a high probability that some of these networks are used for critical airport logistics and operations. The consequences of this lack of security could result in disruption of baggage or passenger ticketing systems."
DHS Fact Sheet: Cyber Storm II National Cyber Exercise - "In March 2008, the Department of Homeland Security’s National Cyber Security Division (NCSD) will sponsor its second large-scale national cyber exercise, Cyber Storm II. Planned in close coordination with and driven by its stakeholders and participants, the exercise will center on a cyber-focused scenario that will escalate to the level of a cyber incident requiring a coordinated Federal response. Exercises such as Cyber Storm II are critical in maintaining and strengthening cross-sector, inter-governmental and international relationships, enhancing processes and communications linkages, as well as ensuring continued improvement to cyber security procedures and processes. Cyber Storm II is part of Homeland Security's ongoing risk-based management effort to use exercises to enhance government and private sector response to a cyber incident, promote public awareness, and reduce cyber risk within all levels of government and the private sector."
HSS Office of Inspector General Privacy Act of 1974; Revisions to OIG’s Privacy Act System of Records: Criminal Investigative Files, Federal Register, March 4, 2008.
Chris Hoofnagle, Measuring Identity Theft at Top Banks (Version 1.0) February 26, 2008. Berkeley Center for Law and Technology. Law and Technology Scholarship (Selected by the Berkeley Center for Law & Technology). Paper 44.
Data Breach Notification Laws, State By State, by Scott Berinato, "More than five years after California's seminal data breach disclosure law, SB 1386, was enacted, not all states have followed suit. Eleven states still have not passed laws mandating that companies notify consumers when that company has lost the consumer's personal data. One state, Oklahoma, does have a breach notification law, but it only applies to state entities that have lost data. That leaves 38 states that have enacted some sort of breach disclosure law. This map will help you sort them out."
"The Safer Internet plus programme aims to promote safer use of the Internet and new online technologies, particularly for children, and to fight against illegal content and content unwanted by the end-user, as part of a coherent approach by the European Union."
News release: "A bi-partisan group of Senators from the Commerce, Science and Transportation Committee led by U.S. Senators Olympia J. Snowe (R-Maine), Bill Nelson (D-Florida) and the Committee’s Ranking Member Ted Stevens (R-Alaska), introduced today bi-partisan legislation aimed at ending the deceptive practice known as phishing. The Anti-Phishing Consumer Protection Act of 2008 would prohibit phishing – the deceptive solicitation of a consumer’s personal information through the use of emails, instant messages, and misleading websites that trick recipients into divulging their information for the purpose of identity theft. The legislation would also prohibit related abuses, such as the practice of using fraudulent or misleading domain names, by defining them as deceptive practices under the FTC Act."
Lest We Remember: Cold Boot Attacks on Encryption Keys, J. Alex Haldermany, Seth D. Schoenz, Nadia Heningery, William Clarksony, William Paulx, Joseph A. Calandrinoy, Ariel J. Feldmany, Jacob Appelbaum, and Edward W. Felteny. Princeton University, Electronic Frontier Foundation, Wind River Systems. February 21, 2008.
"The FTC today released the list of top consumer fraud complaints received by the agency in 2007. The list, contained in the publication Consumer Fraud and Identity Theft Complaint Data January-December 2007, showed that for the seventh year in a row, identity theft is the number one consumer complaint category. Of 813,899 total complaints received in 2007, 258,427, or 32 percent, were related to identity theft.
The report breaks out complaint data on a state-by-state basis and also contains data about the 50 metropolitan areas reporting the highest per capita incidence of fraud and the 50 metropolitan areas reporting the highest incidence of identity theft.
The report states that credit card fraud was the most common form of reported identity theft at 23 percent, followed by utilities fraud at 18 percent, employment fraud at 14 percent, and bank fraud at 13 percent.
Consumers reported fraud losses totaling more than $1.2 billion; the median monetary loss per person was $349, the report states.
Educational Security Incidents (ESI) Year in Review - 2007: "By Adam Dodge - Posted on February 10, 2008: "The ESI Year in Review - 2007 examines all of the information security incidents occurring at colleges and universities around the world as reported in the news during 2007. 2007 marked a significant change for information security incidents reported in the news. Among the changes are an increase in both the number of incidents reported and the number of institutions reporting a breach as well as the addition to new categories such as incident type "Employee Fraud" and information type "Username and Password".
Press release: "In connection with the 5th Safer Internet Day1 on 12 February 2008, Eurostat, the Statistical Office of the European Communities, presents a selection of statistics concerning internet activities, security concerns and virus attacks. The Safer Internet Day is part of a global drive to promote a safer Internet for all users, in particular younger people, and is organised by Insafe, a European internet safety network co-funded by the European Commission...In the EU27 in 2007, nearly a quarter of internet users had had a computer virus in the preceding 12 months, which resulted in a loss of information or time. Virus attacks were most frequent in Lithuania (41% of users), Slovenia (35%) and Malta (34%) and least common in the Czech Republic (7%), Estonia (15%) and Sweden (16%)."
"Cisco® today announced key findings from its annual global study on remote workers' security awareness and online behavior, indicating how they can inadvertently heighten risks for themselves and the companies they work for. The study's findings are prompting Cisco security executives to offer recommendations to information technology (IT) professionals on how to protect their companies against threats and maximize the business benefits of distributed and mobile workforces."
Annual Threat Assessment of the Director of National Intelligence for the Senate Select Committee on Intelligence, February 5, 2008, J. Michael McConnell, Director of National Intelligence (47 pages, PDF).
Press release: "The FBI has recently developed information indicating cyber criminals are attempting to once again send fraudulent e-mails to unsuspecting recipients stating that someone has filed a complaint against them or their company with the Department of Justice or another organization such as the Internal Revenue Service, Social Security Administration, or the Better Business Bureau."
Related resources:
"Criminals are hard at work thinking up creative ways to get malware on your computer, warns the Federal Trade Commission. With appealing Web sites, desirable downloads, and compelling stories, these criminals try to lure consumers to links that will download malware, especially on computers that don’t use adequate security software. Then, they use the malware – malicious software – to steal personal information, send spam, and commit fraud. A new publication from the FTC has information that could help consumers protect their computers against malware and reclaim their computer and electronic information if malware is already on their computer. The publication, Minimizing the Effects of Malware, provides tips on spotting malware, and urges consumers to act immediately if they suspect their computer is affected by malware."
"The Federal Energy Regulatory Commission (FERC) approved eight new mandatory critical infrastructure protection (CIP) reliability standards to protect the nation’s bulk power system against potential disruptions from cyber security breaches. These reliability standards were developed by the North American Electric Reliability Corporation (NERC), which FERC has designated as the electric reliability organization (ERO)...The final rule, Mandatory Reliability Standards for Critical Infrastructure Protection, takes effect 60 days from the later of either the date Congress receives the agency notice of the rule, or the date the rule is published in the Federal Register."
The eight CIP reliability standards address the following topics:
* Critical Cyber Asset Identification;
* Security Management Controls;
* Personnel and Training;
* Electronic Security Perimeters;
* Physical Security of Critical Cyber Assets;
* Systems Security Management;
* Incident Reporting and Response Planning; and
* Recovery Plans for Critical Cyber Assets.
SANS NewsBites - Volume: X, Issue: 5
Press release: "USA*Engage and the National Foreign Trade Council (NFTC) today sent formal comments to the U.S. Securities and Exchange Commission (SEC), recommending that the Commission reconsider its proposal to further develop mechanisms to facilitate greater access to companies’ disclosures concerning their business activities in or with certain countries designated as “state sponsors of terrorism.” In comments sent to the SEC, the associations noted that U.S. companies operating in such countries are conducting legal, legitimate business, and that the proposed mechanism actually punishes those companies who are most transparent."
Keep Your Enemies Close: Distance Bounding Against Smartcard Relay Attacks, by Saar Drimer and Steven J. Murdoch, Computer Laboratory, University of Cambridge
Washington Post, Online Records May Aid ID Theft, Government Sites Post Personal Data, By Bill Brubaker: "Social Security numbers are readily available in many courthouses -- in land records and criminal and civil case files -- as well as on many government Web sites that serve up public documents with a few clicks of a mouse. From state to state, and even within states, there is little uniformity in how access to the private information in these records is controlled."
US State Department's Overseas Security Advisory Council (OSAC) Activity Report: November 2007
Press release: "In a new report, the Federal Trade Commission staff describes findings from its July 2007 workshop, “Spam Summit: The Next Generation of Threats and Solutions” and proposes follow-up action steps that stakeholders can adopt to mitigate the harmful effects of malicious spam and phishing. In addition to proposing action steps for stakeholders, the report provides an overview of the agency’s decade-long role in protecting consumers from the threats of fraudulent spam and phishing. The report also announces results from staff’s 2007 Harvesting and Filtering Study, which suggest that Internet service providers’ spam filters continue to serve an integral role in reducing the amount of spam that reaches consumers’ in-boxes."
Ponemon 2007 Annual Study: U.S. Cost of a Data Breach - Understanding Financial Impact, Customer Turnover, and Preventitive Solutions: This study "was derived from a detailed analysis of 35 data breach incidents. According to the study, the cost per compromised customer record increased in 2007, compared to 2006. Lost business opportunity, including losses associated with customer churn and acquisition, represented the most significant component of the cost increase. Companies analyzed were from 16 different industries, including communications, consumer goods, education, entertainment, financial services, gaming, health care, hospitality, internet, manufacturing, marketing, media, retail, services, technology, and transportation."
DOE OIG Special Report: Management Challenges at the Department of Energy, December 2007
Press release: "The widespread use and availability of Social Security numbers puts Americans at risk for identity theft and should be restricted, according to Consumers Union, nonprofit publisher of Consumer Reports. The group urged policymakers to take action to protect consumers as part of a public forum on the issue organized by the Federal Trade Commission in conjunction with the President’s Identity Theft Task Force. Social Security numbers are particularly sensitive information because they can provide the key to unlocking a consumer’s financial identity... Jeannine Kenney, Senior Policy Analyst with Consumers Union...presented findings of a Consumer Reports National Research Center poll at the FTC forum showing that 89 percent of Americans want state and federal lawmakers to restrict the use and availability of Social Security numbers by businesses and government agencies. The poll also found that nearly all consumers want the right to freeze access to their credit files to prevent new account fraud. Currently 39 states and the District of Columbia give consumers the right to a security freeze and the three major credit bureaus have made the freeze available to consumers in the remaining states."
Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress, Updated November 15, 2007. "Cybercrime is becoming more organized and established as a transnational business. High technology online skills are now available for rent to a variety of customers, possibly including nation states, or individuals and groups that could
secretly represent terrorist groups. The increased use of automated attack tools by cybercriminals has overwhelmed some current methodologies used for tracking Internet cyberattacks, and vulnerabilities of the U.S. critical infrastructure, which are acknowledged openly in publications, could possibly attract cyberattacks to extort money, or damage the U.S. economy to affect national security...This report discusses options now open to nation states, extremists, or terrorist groups for obtaining malicious technical services from cybercriminals to meet political or military objectives, and describes the possible effects of a coordinated cyberattack against the U.S. critical infrastructure."
Awareness of Security Freeze Legislation and Use of Security Freezes by Consumers Age 18+ Research Report, Jennifer H. Sauer, M.A., AARP Knowledge Management, Neal Walters, AARP Public Policy Institute, November 2007
McAfee Virtual Criminology Report - Cybercrime: The Next Wave - The annual McAfee global cyber trends study into organized crime and the Internet in collaboration with leading international security experts, November 2007.
Press release: "The Federal Trade Commission today released a survey showing that 8.3 million American adults, or 3.7 percent of all American adults, were victims of identity theft in 2005. Of the victims, 3.2 million, or 1.4 percent of all adults, experienced misuse of their existing credit card accounts; 3.3 million, or 1.5 percent, experienced misuse of non-credit card accounts; and 1.8 million victims, or 0.8 percent, found that new accounts were opened or other frauds were committed using their personal identifying information."
"Fraud Awareness Week is dedicated to promoting fraud awareness and educating businesses and the public about the growing global impact of fraud. Therefore, this is an appropriate time to address and promote basic steps that can be taken to recognize, report, and reduce the risk of becoming a victim of fraudulent activities. In recognition of Fraud Awareness Week, NCJRS presents this online compilation of resources addressing fraud:
The University of Arizona Artificial Intelligence Lab Dark Web project: "Based on our actual spidering experience over the past 5 years, we believe there are about 50,000 sites of extremist and terrorist content as of 2007, including: web sites, forums, blogs, social networking sites, video sites, and virtual world sites (e.g., Second Life). The largest increase in 2006-2007 is in various new Web 2.0 sites (forums, videos, blogs, virtual world, etc.) in different languages (i.e., for home-grown groups, particularly in Europe). We have found significant terrorism content in more than 15 languages...We believe our Dark Web collection is the largest open-source extremist and terrorist collection in the academic world."
Press release: "Starting November 1, consumers in all 50 states will be able to freeze access to their credit files at all three major credit bureaus to prevent identity thieves from opening fraudulent accounts in their names. By that date, all three major credit bureaus will offer “security freeze” protection to all consumers living in the eleven states that have not passed laws requiring it and the five states that currently limit this protection to identity theft victims. To help consumers learn how to take advantage of this powerful identity theft safeguard, Consumers Union, the nonprofit publisher of Consumer Reports, is making available online an updated Guide to Security Freeze Protection."
Text of the Federal Register Notice [256 pages, PDF] - Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003: 16 C.F.R. Part 681 (Federal Trade Commission Rule): Joint Final Rules and Guidelines of the Office of the Comptroller of the Currency, Treasury; the Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation; the Offfice of Thrift Supervision, Treasury; the National Credit Union Administration; and the Federal Trade Commission.
CDT: "As it seeks models to address the mounting issues surrounding online behavioral targeting, the Federal Trade Commission (FTC) should begin by applying the principles it developed to guide its anti-spyware enforcement efforts, CDT said today. In comments submitted to the FTC in advance of its upcoming "town hall" meeting on behavioral advertising, CDT pointed out that the FTC's principles -- which center around the core concept that consumers should have ultimate control over their computers -- are directly applicable to behavioral advertising. In addition to filing its own comments, CDT also joined with other public interest advocates in offering a list of important questions the FTC must address over the course of the two-day meeting."
Press release, October 16, 2007: "Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) and Ranking Member Arlen Specter (R-Pa.) today introduced the bipartisan Identity Theft Enforcement and Restitution Act of 2007 to give federal prosecutors important new tools to combat the growing problem of identity theft and cyber crime.
The Identity Theft Enforcement and Restitution Act of 2007 would:
Press release: "With a full twelve months under our belt, today OpenDNS published the first-ever PhishTank annual report. The report looks at the more than 300,000 phishes you’ve submitted and helped verify over the course of one year. While some of the report’s findings come as no surprise (e.g., PayPal and eBay round out the top of the list of most spoofed brands), some are alarming. Perhaps the most important finding, and the one that drove us to come up with a fix, is that U.S. telecoms are hosting more phishes than telecoms in any other country."
National Institute of Standards and Technology, Computer Security Division: "SP 800-44 version 2, Guidelines on Securing Public Web Servers, is published as final. It is intended to aid organizations in the installation, configuration, and maintenance of secure public Web servers. It presents recommendations for securing Web server operating systems, applications, and content; protecting Web servers through the supporting network infrastructure; and administering Web servers securely. SP 800-44 version 2 also provides guidance on using authentication and encryption technologies to protect information on Web servers."
"Two of the key findings from this year’s Global Security Survey revolve around an organization’s people and a paradox that has been around for years. The weakest link in an organization’s security is its people. An organization’s people include employees, customers, third parties and business partners. And of those people, the highest number of breaches are perpetrated via the customer. Even though information security incidents are grabbing the attention of business executives and boards, these individuals do not yet feel that they “own” the problem. In their estimation, the execution of solutions is the mandate of IT. This information security paradox has been alive and well for years; the 2007 security survey confirms just how widespread it is."
National Southwest Border Counternarcotics Strategy - Unclassified Summary, October 2007
European Security Research Agenda: European Commission Working documents: Public-Private Dialogue in Security Research and Innovation: Summary of the Impact Assessment (SEC (2007); Public-Private Dialogue in Security Research and Innovation: Impact Assessment (SEC (2007)
StaySafeOnline.org: "The National Cyber Security Alliance (NCSA), a consortium of government agencies and private industry sponsors, is proud to designate October 2007 as National Cyber Security Awareness Month (NCSAM). National Cyber Security Awareness Month is a national campaign designed to increase the public's awareness of cyber security and cyber crime issues so that users can take precautions to avoid these threats on the Internet. The month will feature a number of initiatives including public relations activities, educational programs and events that target Home Users, Small Businesses, Education audiences (K-12 and higher education), and Child Safety online."
Press release: "Committee on Homeland Security Committee Chairman Bennie G. Thompson (D-MS) and Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology Chairman James R. Langevin (D-RI) sent a letter on Friday to Richard L. Skinner, Inspector General of the Department of Homeland Security to request an investigation into cyber attacks on the Department initiated by foreign entities and relating to incompetent and possibly illegal activity by the contractor charged with maintaining security on its networks. Links to the letter and its enclosure."
Press release: "Attorney General Andrew Cuomo announced today that his office is investigating Facebook over representations the company makes about safety measures in place on its website. In a letter accompanying a subpoena for documents, Cuomo warned the company that a preliminary review conducted by his office revealed significant defects in the site’s safety controls and the company’s response to complaints - deficiencies that stand in contrast to the reassuring statements made on the website and by company officials."
Press release: "Four out of five companies have suffered from corporate fraud in the past three years, according to a survey from Kroll, the world’s leading risk consulting company. New technologies, new investors and expansion into new overseas markets have opened the door to different forms of fraud, the report concludes. In some sectors, more than a fifth of companies have lost more than $1m...The report draws on a survey by the Economist Intelligence Unit of 900 senior executives worldwide."
Press release: "Electronic Frontiers Australia (EFA) today slammed a Bill introduced into the Senate which would give members of the Australian Federal Police powers to ban access to Internet content. The Communications Legislation Amendment (Crime or Terrorism Related Internet Content) Bill 2007 would, if enacted, give senior members of the Australian Federal Police powers to ban access to Internet content which they "have reason to believe": encourages, incites, or induces the commission of a Commonwealth offence; or was published in part to facilitate the commission of such an offence; or that it is likely to have the effect of facilitating the commission of such an offence."
EPIC: "The Data Privacy and Integrity Advisory Committee of the Department of Homeland Security held a series of panel discussions on the topic of "information fusion centers." EPIC's statement to the committee made specific recommendations on the need to create accountability, oversight, and greater transparency on the work of fusion centers. So far DHS has awarded over $380 million in grants to local and state law enforcement to build 43 of the planned 70 interconnected computer networks. The domestic surveillance project is compiling, analyzing, and disseminating detailed personal information for intelligence and other purposes. DHS says it wants to use fusion centers to prevent terrorism, but local and state police want the centers to support their efforts to anticipate, identify, prevent, and/or monitor crime. See EPIC's page on Fusion Centers and Spotlight on Surveillance."
Press release: "The FTC today told the Maryland Task Force on Identity Theft that public organizations, including federal, state, and local governments, “play a critical role in guarding against misuse and unauthorized disclosure of the personal information they collect and maintain.” Speaking before the Maryland Task Force to Study Identity Theft, Betsy Broder, Assistant Director of the FTC’s Division of Privacy and Identity Protection said, “To succeed in the battle against identity theft, federal, state and local governments, working together with the private sector, must make it more difficult for thieves to obtain the information they need to steal identities, make it more difficult to use that information if they do obtain it, and assist victims when thefts occur.”
Press release: "The FTC today told the Senate Committee on Commerce, Science & Transportation Subcommittee on Interstate Commerce, Trade and Tourism that it has a robust record in protecting consumers and preserving competition in the marketplace...Speaking for the Commission, Chairman Deborah Platt Majoras said that much of the work of the FTC’s Bureau of Consumer Protection has been devoted to data security and identity theft, technology risks to consumers, fraud in the marketing of health care products, financial practices, telemarketing fraud, and enforcement of the National Do Not Call Rule."
"Terrorists and extremists have set up shop on the Internet, using it to recruit new members, spread propaganda and plan attacks across the world. The size and scope of these dark corners of the Web are vast and disturbing. But in a non-descript building in Tucson, a team of computational scientists are using the cutting-edge technology and novel new approaches to track their moves online, providing an invaluable tool in the global war on terror. Funded by the National Science Foundation and other federal agencies, Hsinchun Chen and his Artificial Intelligence Lab at the University of Arizona have created the Dark Web project, which aims to systematically collect and analyze all terrorist-generated content on the Web."
PC World: Study Finds Spam's Achilles Heel - "Researchers say they've discovered a critical weakness in the spam infrastructure."
Freedom and Information: Assessing Publicly Available Data Regarding U.S. Transportation Infrastructure Security, August 8, 2007: "This report concerns the feasibility of obtaining information relevant to planning terrorist attacks from publicly available sources. To the extent that such information is available, it is particularly valuable to terrorist planners in that it can generally be obtained at lower cost, risk, and effort than more direct forms of gathering information such as observation of a potential target. Familiarity with public sources of information is also valuable to defenders. If they are unaware that a terrorist group knows or can easily learn about a particular vulnerability, that vulnerability can be exploited more easily."
Erickson, K., & Howard, P. (2007). A case of mistaken identity? News accounts of hacker, consumer, and organizational responsibility for compromised digital records. Journal of Computer-Mediated Communication, 12(4), article 5.
UK House of Lords, Science and Technology Committee, 5th Report of Session 2006-2007: Personal Internet Security, August 10, 2007 (121 pages, PDF)
But the Internet is now increasingly the playground of criminals. Where a decade ago the public perception of the e-criminal was of a lonely hacker searching for attention, today's "bad guys" belong to organised crime groups, are highly skilful, specialised, and focused on profit. They want to stay invisible, and so far they have largely succeeded. While the incidence and cost of e-crime are known to be huge, no accurate data exist.
Underpinning the success of the Internet is the confidence of hundreds of millions of individual users across the globe. But there is a growing perception, fuelled by media reports, that the Internet is insecure and unsafe. When this is set against the rate of change and innovation, and the difficulty of keeping pace with the latest technology, the risk to public confidence is clear.
The Government have insisted in evidence to this inquiry that the responsibility for personal Internet security ultimately rests with the individual. This is no longer realistic, and compounds the perception that the Internet is a lawless "wild west". It is clear to us that many organisations with a stake in the Internet could do more to promote personal Internet security: the manufacturers of hardware and software; retailers; Internet Service Providers; businesses, such as banks, that operate online; the police and the criminal justice system.
We believe as a general principle that well-targeted incentives are more likely to yield results in such a dynamic industry than formal regulation. However, if incentives are to be effective, they may in some cases need to be backed up by the possibility of direct regulation. Also, there are some areas, such as policing, where direct Government action is needed. So Government leadership across the board is required. Our recommendations urge the Government, through a flexible mix of incentives, regulation, and direct investment, to galvanise the key stakeholders.
The threat to the Internet is clear, but it is still manageable. Now is the time to act, both domestically, and internationally, through the European Union and through international organisations and partnerships.
"The risk associated with using the Internet remains high. Our State of the Net assesses the likelihood and impact of four leading online hazards, listed in order of incidence, based on the survey by the Consumer Reports National Research Center and our follow-up investigation."
Press release, July 19, 2007: "The Department of Justice today submitted to Congress new proposed legislation that seeks to update and improve current laws aimed at protecting Americans from the increasingly sophisticated crime of identity theft. The proposed bill, titled the Identity Theft Enforcement and Restitution Act of 2007, was a significant recommendation included in the final strategic plan from the President’s Task Force on Identity Theft released in April 2007. The strategic plan was the result of an unprecedented federal effort to formulate a comprehensive and fully coordinated plan to attack identity theft at all levels in the public and private sectors. Among other provisions, the proposed legislation seeks to ensure that victims of identity theft can recover the value of the time lost attempting to repair damage inflicted by identity theft. Under current law, restitution to victims from convicted thieves is available only for the direct financial costs of identity theft offenses."
sfgate.com - ON THE RECORD: DEBORAH MAJORAS CHAIRWOMAN, FTC: "She shares her thoughts on what her agency can -- and cannot -- do on everything from mergers to fraud to privacy to gas prices to infomercials," Sunday, July 15, 2007
Spam Summit: The Next Generation of Threats and Solutions: "A two-day conference that will bring together experts from the business, government, and technology sectors, consumer advocates, and academics to explore consumer protection issues surrounding spam, phishing and malware. The agenda and a list of participants can be found here."
Press release: "Google Inc. announced today that it has signed a definitive agreement to acquire Postini, a global leader in on-demand communications security and compliance solutions serving more than 35,000 businesses and 10 million users worldwide. Postini's services -- which include message security, archiving, encryption, and policy enforcement -- can be used to protect a company's email, instant messaging, and other web-based communications. Under the terms of the agreement, Google will acquire Postini for $625 million in cash, subject to working capital and other adjustments, and Postini will become a wholly-owned subsidiary of Google. The agreement is subject to customary closing conditions and is expected to close by the end of the third quarter 2007."
Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown. GAO-07-737, June 4, 2007.
Toward a Safer and More Secure Cyberspace, Seymour E. Goodman and Herbert S. Lin, Editors, Committee on Improving Cybersecurity Research in the United States, National Research Council, 272 pages, pre-publication copy, 2007.
Press release: "Fidelity National Information Services, Inc. announced today that its subsidiary, Certegy Check Services, Inc., a service provider to U.S. retail merchants, based in St. Petersburg, Fla., was victimized by a former employee who misappropriated and sold consumer information to a data broker who, in turn, sold a subset of that data to a limited number of direct marketing organizations...The misappropriated information included names, addresses and telephone numbers as well as, in many cases, dates of birth and bank account or credit card information. Approximately 2.3 million records are believed to be at issue, with approximately 2.2 million containing bank account information and 99,000 containing credit card information. The company is still investigating the time period over which the misappropriations occurred."
MessageLabs Intelligence Report: Increased Number of Spam Spikes and New Image Spam Techniques Cause Trouble for Businesses: "Analysis of [May 2007] data showed that spammers continue to innovate and employ new methods to elude traditional anti-spam solutions. Rather than embedding images in the body of an email message, spammers are now hosting images on sites that do not require registration and include links to those sites or an HTML image in the email message."
Treasury Inspector General for Tax Administration. Progress Has Been Slow in Meeting Homeland Security Presidential Directive–12 Requirements, June 20, 2007. Reference Number: 2007-20-110
Hacking the Homeland: Investigating Cybersecurity Vulnerabilities at the Department of Homeland Security, Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, Wednesday, June 20, 2007. [links to prepared statements, testimony and relevant correspondence]
"This National Institute of Justice Special Report is intended as a resource for individuals responsible for investigations involving the use of the Internet and other computer networks. Any crime could involve devices that communicate through the Internet or through a network. Criminals may use the Internet for numerous reasons, including trading/sharing information (e.g., documents, photographs), concealing their identity, and gathering information on victims. The report is among a series of guides on investigating electronic crime."
Press release: "[June 13, 2007] the Department of Justice and FBI announced the results of an ongoing cyber crime initiative to disrupt and dismantle “botherders” and elevate the public’s cyber security awareness of botnets. OPERATION BOT ROAST is a national initiative and ongoing investigations have identified over 1 million victim computer IP addresses. The FBI is working with our industry partners, including the CERT Coordination Center at Carnegie Mellon University, to notify the victim owners of the computers. Through this process the FBI may uncover additional incidents in which botnets have been used to facilitate other criminal activity."
Press release: "Tens of thousands of consumers are unwitting accomplices of illegal spammers and at the mercy of identity thieves, warns the Federal Trade Commission. These consumers’ computers have been secretly hijacked by criminals who install spam-sending software and spyware on the computers when consumers open malicious e-mail attachments or visit a malicious Web site. After gaining access to consumers’ computers, the criminals can track consumers’ Internet surfing, steal personal information, and turn the computers into spam “zombies” that are part of a “botnet” made up of thousands of home computers through which spammers route spam. In a new consumer alert, Botnets and Hackers and Spam (Oh, My!), the FTC urges consumers to secure their personal information and stop assisting spammers."
"The anti-phishing research group at Indiana University, stop-phishing.com, is striving to understand, detect and prevent online fraud, and in particular, to reduce the economic viability of phishing attacks. We achieve this goal through a cross-disciplinary research agenda in which we consider all facets of the problem, ranging from psychological aspects and technology matters to legal issues and interface design considerations. We are attuned to needs and concerns within the financial sector, among privacy advocates, and of common users, and are dedicated to turning the tide."
Press release: "Software security researchers can disclose vulnerabilities almost to their hearts' content. Web security researchers, on the other hand, can go to jail for merely looking for a vulnerability, much less disclosing one publicly. The inaugural report of CSI's new working group explains why, and whether the legal climate is bad for the Internet."
Press release: "This Web site has been established to provide information about an Information Technology Security Incident in which a security breach in a computer application resulted in exposure of sensitive information belonging to current and former University of Virginia faculty members. A criminal investigation is being conducted by University of Virginia Police in consultation with the FBI and the University’s computing and audit professionals. The investigation has revealed that hackers tapped into the records of 5,735 faculty members."
Cooperation against Cybercrime: 11-12 June 2007, Palais de l’Europe, Strasbourg, France: "Societies worldwide rely on information and communication technologies. However, the increasing dependency on such technologies is accompanied by a growing vulnerability to criminal intrusion and misuse. In response to these challenges the Council of Europe adopted the Convention on Cybercrime (ETS 185) in 2001 and the Protocol on the Criminalisation of Acts of a Racist and Xenophobic Nature Committed through Computer Systems (ETS 189) in 2003."
The State of Search Engine Safety, June 4, 2007 - Ben Edelman, Advisor to McAfee SiteAdvisor and Hannah Rosenbaum - Research Analyst, McAfee SiteAdvisor
M-07-18, Ensuring New Acquisitions Include Common Security Configurations (June 1, 2007)
Press release, May 31, 2007: Attorney General Richard Blumenthal, with attorneys general from 43 other states, announced a settlement today with ChoicePoint for allegedly failing to adequately protect consumers' personally identifiable information, resulting in a massive security breach. The Atlanta-based ChoicePoint, which collects and maintains personally identifiable information on consumers, provides identification and credential verification services to businesses, government and non-profit organizations. In February 2005, ChoicePoint announced that criminals posing as legitimate businesses accessed consumers' personally identifiable information. The company notified more than 145,000 consumers nationwide whose information may have been compromised - including nearly 6,000 from Connecticut. Under today's settlement, ChoicePoint has agreed to adopt significantly stronger security measures. Those measures include written certification and, in some cases, on-site visits by ChoicePoint to ensure the legitimacy of companies before they are allowed access to personally identifiable information. ChoicePoint will also conduct periodic audits to ensure that companies are using consumer data for legitimate purposes."
Press release: "...a recent TriCipher Consumer Online Banking Study, conducted by Javelin Strategy and Research, reveals that consumers would take advantage of more online banking services if banks provided stronger identity protection. The TriCipher Consumer Online Banking Study included 3,349 respondents from a random-sample panel that was representative of the U.S. population. Surprising findings uncovered that nearly 1 in 5 - estimated at 26 million - adult consumers have been victims of identity theft or fraud in their lives. And, according to survey results, over 88 million online banking customers would switch banks, or reduce online banking usage, if news reports exposed their individual institution as compromised."
Clay Johnson III, Deputy Director for Management, Office of Management and Budget: M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007 (22 pages, PDF)
Earthtimes reports that a recent "internal survey conducted by search engine giant Google has revealed that one in every 10 pages scanned by the company is infected with malicious software that can harm the users' PC."
FinancialPrivacyNow.org: "Identity theft is one of the fastest growing financial crimes. Nearly 10 million Americans fall victim each year. The Identity Theft Resource Center reported in 2005, on average, an ID theft victim of new account and other fraud spent 60 hours resolving problems brought on by ID theft, those victims of existing accounts spent an average of 15 hours resolving problems. A 2003 Federal Trade Commission study found that identity theft also costs U.S. businesses nearly $48 billion annually, and consumers an additional $5 billion per year. A security freeze lets consumers stop thieves from getting credit in their names. A security freeze locks, or freezes, access to the consumer credit report and credit score. Without this information, a business will not issue new credit to a thief. When the consumer wants to get new credit, he or she uses a PIN to unlock access to the credit file. These states [included at this link] give consumers this important weapon to prevent identity theft. (updated 5/8/07)"
Follow up to May 5, 2007 posting, Missing TSA Hard Drive Has Data on 100,000 Employees, this additional update from the TSA: "Today the Transportation Security Administration (TSA) announced a benefit package to provide employees and former employees affected by the data security incident with free credit monitoring for up-to one year. In addition to credit monitoring, the package includes ID theft insurance up to $25,000, fraud alerts and identity restoration specialists who will complete paperwork and assist employees in the event they are a victim of identity theft. Current and former employees can register via phone, mail or online through a secure web site. More information is available at www.tsa.gov, including a list of frequently asked questions."
Press release, May 4, 2007: "Yesterday the Transportation Security Administration (TSA) became aware of a potential data security incident involving approximately 100,000 archived employment records of individuals employed by the agency from January 2002 until August 2005. An external hard drive containing personnel data (including name, social security number, date of birth, payroll information, bank account and routing information) was discovered missing from a controlled area at the TSA Headquarters Office of Human Capital. It is unclear at this stage whether the device is still within headquarters or was stolen. TSA immediately reported the incident to senior DHS and law enforcement officials and launched an investigation. TSA is treating this incident as a criminal matter and has asked the FBI to investigate. The U.S. Secret Service is also assisting in the forensic review of equipment and facilities. TSA is cooperating fully." [Wired Blog]
Senate Committee on Homeland Security and Governmental Affairs hearing on The Internet: A Portal to Violent Islamist Extremism, May 3, 2007.
Prepared testimony submitted for this hearing:
Press release: "Today, the House Judiciary Committee approved four crime bills and sent them to the House floor for consideration. The bills were: HR 1700, the "COPS Improvement Act of 2007;" HR 916, the "John R. Justice Prosecutors and Defenders Incentive Act of 2007;" HR 1525, the "Internet Spyware Prevention Act of 2007;" and, HR 1615, the "Securing Aircraft Cockpits Against Lasers Act."
Press release: "Today, Committee on Homeland Security Chairman Bennie G. Thompson (D-MS) joined committee members in a letter to Department of Homeland Security Chief Information Officer Scott Charbo requesting information about the security of the Department’s networks. The letter follows up on a recent cybersecurity hearing, where members learned about the widespread hacking of government networks at the Departments of State and Commerce. The letter...poses 13 questions for response."
Press release: "Attorney General Alberto R. Gonzales and Federal Trade Commission Chairman Deborah Platt Majoras today announced the completion of the President’s Identity Theft Task Force strategic plan to combat identity theft. The strategic plan is the result of an unprecedented federal effort to formulate a comprehensive and fully coordinated plan to attack this widespread and destructive crime. The plan focuses on ways to improve the effectiveness of criminal prosecutions of identity theft; enhance data protection for sensitive consumer information maintained by the public sector, private sector, and consumers; provide more comprehensive and effective guidance for consumers and the business community; and improve recovery and assistance for consumers."
Related Documents:
Combating Identity Theft: A Strategic Plan, Final recommendations released April 23, 2007
Press release: "UK consumers are not as risk-averse when it comes to using online services as previously thought, according to recent research conducted by BT. Despite daily warnings about security threats and cyber-criminals, people are willing to take risks online, as long as they feel informed, and it is clear how consequences will be addressed. According to the findings from the Trustguide report, which was a collaborative research project by BT with support from the DTI, people use specific online services not because they trust them, but because they believe the benefits outweigh the risks. Government and private industry must therefore take responsibility for educating and reassuring the public that safeguards are in place, if they are to succeed with e-Government and e-Commerce initiatives..Based on the research, the Trustguide report outlines a set of guidelines to inform policy making and service development for ICT delivered services. In addition to enabling better-informed decision-making through education, and advising users of restitution and guarantee measures should something go wrong, the report highlights the need for greater honesty and transparency of data usage by service providers.
Anti-Phishing Working Group (APWG), Phishing Activity Trends for February 2007 (8 pages, PDF)
Tech//404® Data Loss Cost Calculator: "Data loss resulting from network security breaches and identity theft has become a regular occurrence. While the number of affected records can vary widely in any given data loss scenario, a recent study by the Ponemon Institute found that the average number was roughly 99,000. For recent examples and media reports, visit the data loss archive. Darwin created the Tech//404® data loss cost calculator as a tool to demonstrate the scope of negative financial impact an organization may face as a result of a data breach or identity theft data loss scenario. The calculator will automatically generate an average cost, and a plus/minus 20% range, for expenses associated with internal investigation, notification/crisis management and regulatory/compliance if the incident were to give rise to a class action claim."
Press release: "Former 9/11 Commission counsel Janice Kephart announces the launch of an online Identity Document Security Library, consisting of legal, technical and policy pieces regarding identity document security. Kephart, a nationally recognized border security expert, created the library to serve as a 'one-stop-shop' information portal for those seeking objective, credible information on the issue of identity document security...The issue of identity, and information about identity, underlies the 9/11 Commission's border work, whose recommendations included the creation of minimum standards for state-issued driver licenses and IDs. Kephart's recently issued white paper, Identity and Security: Moving Beyond the 9/11 Staff Report on Identity Document Security, maintains that securing identities and identity documents is perhaps the single most effective measure the United States can take to lay a foundation for national and economic security and public safety."
"The Symantec Internet Security Threat Report offers analysis and discussion of threat activity over a six-month period. It covers Internet attacks, vulnerabilities, malicious code, phishing, spam and security risks as well as future trends. The eleventh version of the report, released March 19, 2007, is now available."
Press release: "The Federal Trade Commission today told the Senate Judiciary Committee Subcommittee on Terrorism, Technology, and Homeland Security that “the government and the private sector must continue to work together to reduce the opportunities for thieves to obtain consumers’ personal information and make it more difficult for thieves to misuse that information if they obtain it.” Lydia Parnes, Director of the FTC’s Bureau of Consumer Protection, said government and the business community should evaluate whether they need to collect and maintain the data they have about consumers, better-protect the data that they do possess, and develop better ways to authenticate customers to keep identity thieves from using the information they steal."
Press release: "If Assistant Professor of Communication at the University of Washington Phil Howard's calculations prove true, by year's end the 2 billionth personal record -- some American's social-security or credit-card number, academic grades or medical history -- will become compromised, and it's corporate America, not rogue hackers, who are primarily to blame. By his reckoning, electronic records in the United States are bleeding at the rate of 6 million a month in 2007, up some 200,000 a month from last year."
Press release: "The FBI’s Internet Crime Complaint Center (IC3) today released its annual Internet Fraud Crime Report. From January 1 through December 31, 2006, the center received 207,492 complaint submissions. These filings were composed of fraudulent and non-fraudulent complaints primarily related to the Internet and included many different fraud types to include auction fraud, non-delivery, and credit/debit card fraud, as well as non-fraudulent complaints, such as computer intrusions, spam/unsolicited email..."
Press release: "The U.S. Department of Homeland Security and Alabama state officials unveiled today the National Computer Forensic Institute in Hoover, Ala., that will assist in the field of computer forensics and digital evidence analysis. The institute will be developed by the U.S Secret Service and is partially funded by the department’s National Cyber Security Division. It will serve as a national cyber crimes training facility where state and local police officers, as well as prosecutors and judges, will be offered training and equipment."
SEC press release: "The Securities and Exchange Commission this morning suspended trading in the securities of 35 companies that have been the subject of recent and repeated spam email campaigns (see examples). The trading suspensions - the most ever aimed at spammed companies - were ordered because of questions regarding the adequacy and accuracy of information about the companies. The trading suspensions are part of a stepped-up SEC effort - code named "Operation Spamalot" - to protect investors from potentially fraudulent spam email hyping small company stocks with phrases like, "Ready to Explode," "Ride the Bull," and "Fast Money." It's estimated that 100 million of these spam messages are sent every week, triggering dramatic spikes in share price and trading volume before the spamming stops and investors lose their money."
Press release: "The arm of the FBI that investigates financial crimes ranging from underground pyramid schemes to institutionalized fraud in the nation’s corporate suites has issued its annual report detailing the most prevalent types of schemes investigators tackled in 2006. The Financial Crimes Report to the Public is prepared each year by the Financial Crimes Section of the FBI's Criminal Investigative Division. The report, which covers a 12-month period ending September 30, 2006, explains in detail dozens of fraud schemes, tallies FBI accomplishments combating the crimes, and offers tips the public can use to protect itself."
Press release: "...the Department of Commerce's United States Patent and Trademark Office (USPTO) released a report that concludes that the distributors of five popular filesharing programs repeatedly deployed features that they knew or should have known could cause users to share files inadvertently. The report, Filesharing Programs and "Technological Features to Induce Users to Share, identifies five features in recent versions of five popular filesharing programs that could cause users to inadvertently distribute to others downloaded files or their own proprietary or sensitive files. "Computer programs that can cause unintended filesharing contribute to copyright infringement, and they threaten the security of personal, corporate, and governmental data," noted Jon Dudas, under secretary of commerce for intellectual property-the Bush Administration's point person on copyright policy."
E-Commerce Times:
"On April 23 and 24, 2007, the Federal Trade Commission will host a public workshop, Proof Positive: New Directions in ID Authentication, to explore methods to reduce identity theft through enhanced authentication. The workshop will facilitate a discussion among public-sector, private-sector, and consumer representatives, and will focus on technological and policy requirements for developing better authentication processes, including the incorporation of privacy standards and consideration of consumer usability issues."
Findings from a new study by ID Analytics, reported by ComputerWeek, indicate that "....the riskiest states for ID theft are New York, California, Nevada and Arizona, while the safest ones are Wyoming, Vermont, Montana and North Dakota. The riskiest 5-digit zip codes for ID theft -- after Floral Park and Faulkton -- are Old Bethpage, N.Y., New York City and Manhasset, N.Y."
"The Federal Bureau of Investigation (FBI) has launched a service that sends out electronic mail (e-mail) alerts when new and vital information is posted on the FBI.gov Web site. Subscribers select which topics that they want updates on, such as new electronic scams (e-scams) and warnings, most wanted terrorists, top ten fugitives, and local and national press releases. The alerts are transmitted as soon as updates are posted to the FBI's Web site or published in their daily, weekly, or monthly digests. The FBI views this service as a means of furthering American citizens' safety by keeping them informed. No personal information is required to sign up for this service, just an e-mail address to where the alerts will be sent. To sign up for the service please visit the www.FBI.gov."
Press release: "The Federal Trade Commission today issued its annual report, “Consumer Fraud and Identity Theft Complaint Data” on complaints consumers have filed with the agency. For the seventh year in a row, identity theft tops the list, accounting for 36 percent of the 674,354 complaints received between January 1 and December 31, 2006. Other categories near the top of the complaint list include shop-at-home/catalog sales; prizes, sweepstakes and lotteries; Internet services and computer complaints; and Internet auction fraud."
New York State Office of the CIO: "Identity and Access Management (IAM) provides an effective way to protect computer-based services and data for all state and local agencies from unauthorized access. Organizational business requirements often result in the need to grant external users access to services and data or to achieve multi-organizational system interoperability. Demand has become more prevalent due to legislative mandates and increasing connectivity offered by public and private networks. Issuing the NYS Trust Model as a best practice guideline (G07-001) is the first step in establishing a long term Identity and Access Management (IAM) strategy for the state enterprise. The NYS Trust Model establishes basic standards and processes that govern how identity credentials are issued, protected and managed."
Inspection Letter Report, Alleged Loss or Theft of Personally Identifiable Information at Pantex, February 2, 2007.
The Emperor's New Security Indicators, An evaluation of website authentication and the effect of role playing on usability studies, working draft released February 4, 2007. Authors: Stuart E. Schechter (MIT), Rachna Dhamija (Harvard), Andy Ozmet (MIT), Ian Fischer (Harvard).
"The Javelin 2007 Identity Fraud Survey Report provides a detailed, comprehensive analysis of identity fraud in the United States, in order to help consumers and businesses better understand the effectiveness of methods used for its prevention, detection and resolution. A nationally representative sample of over 5,000 US adults, including 458 fraud victims, is surveyed via a 44-question phone interview to gain insight into this crime and its effects upon its victims. This report is issued as a longitudinal update to the Javelin 2006 Identity Fraud Survey Report, the Javelin 2005 Identity Fraud Survey Report and the Federal Trade Commission’s (FTC) 2003 Identity Theft Survey Report. Report Preview."
Convergence of Physical and Cyber Technologies and Related Security Management Challenges Working Group Final Report and Recommendations (PDF, 42 pages), January 19, 2007 and Transmittal Letter (PDF, 2 pages), January 19, 2007.
Press release: "The University of New Hampshire Cyber Threat Calculator was unveiled Thursday, January 25, 2007, at the Department of Defense Cyber Crime Conference 2007 in St. Louis, Missouri. The UNH Cyber Threat Calculator was developed by researchers at UNH Justiceworks and students, and offers a new method to identify and quantify the threats posed to the United States' cyber infrastructure."
"This National Institute of Justice Special Report is intended as a resource for individuals responsible for investigations involving the use of the Internet and other computer networks. Any crime could involve devices that communicate through the Internet or through a network. Criminals may use the Internet for numerous reasons, including trading/sharing information (e.g., documents, photographs), concealing their identity, and gathering information on victims."
Press release: "The FBI in Los Angeles announced it opened an investigation to determine who hacked into a restricted database at the University of California at Los Angeles (UCLA) that held the names and personal information of some 800,000 students, faculty, and alumni. Anyone who thought they had been further victimized as a result of the breach was encouraged to contact the Internet Crime Complaint Center (IC3)."
Press release: "U.S. Senator Dianne Feinstein (D-Calif.) today reintroduced two bills [Notification of Risk to Personal Data Act and the Social Security Number Misuse Prevention Act] aimed at protecting individuals from identity theft by requiring businesses to notify consumers in the event of a security breach and prohibiting the sale or display of an individual’s Social Security number without his or her consent. Senator Feinstein said that the increased frequency of data breaches demonstrates that the legislation is needed sooner rather than later. Major data breaches have occurred in recent months at Boeing, UCLA, the Colorado Department of Human Services, Starbucks, the Chicago Voters' Database, and Akron Children's Hospital."
Press release, January 4, 2007: "Cisco today announced a definitive agreement to acquire the privately held company, IronPort Systems, Inc. of San Bruno, Calif. IronPort is a leading provider of messaging security appliances, focusing on enterprise spam and spyware protection."
Related news:
Press release: "Attorney General Kelly Ayotte announced today that if you live in New Hampshire, effective January 1, 2007 you will have the right to put a "security freeze" on your credit file. A security freeze means that your file cannot be shared with potential creditors. A security freeze can help prevent identity theft. Most businesses will not open credit accounts without first checking a consumer's credit history. If your credit files are frozen, even someone who has your name and Social Security number would probably not be able to get credit in your name. The security freeze legislation passed in the 2006 legislative session....A security freeze fact sheet, including step by step instructions on how to place a security freeze, is available here."
Press release: Among the predicitions, is the following - "Blogging and community contributors will peak in the first half of 2007. Given the trend in the average life span of a blogger and the current growth rate of blogs, there are already more than 200 million ex-bloggers. Consequently, the peak number of bloggers will be around 100 million at some point in the first half of 2007."
From Bank System and Technology:
Press release: "The Commission today called on all regulatory authorities and stakeholders in Europe to step up the fight against spam, spyware and malicious software. Despite existing EU legislation to outlaw spam in Europe, Europe continues to suffer from illegal online activities from inside the EU and from third countries, the Commission underlines in a new Communication. The Communication stresses that although internet safety is on the political agenda for some time, national authorities should step up their actions to prosecute illegal online activities."
Audit Report - Secretary of Energy From DOE Inspector General Gregory Friedman, Selected Controls over Classified Information at the Los Alamos National Laboratory, November 27, 2006.
Status Report on OIG Data Security via the Data Security Portal: "Our November 21, 2006, status report notes several important developments, including the fact that as a result of our investigation in cooperation with the Federal Bureau of Investigation and the Miami-Dade County Police Department, two individuals have been arrested for their alleged roles in a small Miami-area laptop theft ring. While the OIG's laptops have not been recovered, there has been no credit fraud resulting from the laptop thefts and we believe that the risk of credit fraud in the future is very low. A firm hired to perform data breach analysis has failed to find any misuse of information on the laptops, and will continue to analyze the information..."
Information Security: Agencies Need to Develop and Implement Adequate Policies for Periodic Testing. Full text, GAO-07-65, and Highlights, October 20, 2006.
"Up to 80% of spam targetted at Internet users in North America and Europe is generated by a hard-core group of around 200 known professional spam gangs whose names, aliases and operations are documented in Spamhaus' Register Of Known Spam Operations (ROKSO) database. This TOP 10 chart of ROKSO-listed spammers is based on those Spamhaus views as the highest threat, the worst of the career spammers causing the most damage on the Internet currently. Spamhaus flags these as a priority for Law Enforcement Agencies."
DOJ OIG - Top Management Challenges in the Department of Justice - 2006 Challenges [Full Report]
Section by section:
Press release: "Symantec Corp...announced the opening of the Symantec Phish Report Network to consumers worldwide. As one of the world's leading antifraud communities, the Symantec Phish Report Network, launched in May 2006, allows member companies to contribute and receive fraudulent Web site addresses that they can use in their antiphishing solutions to help protect users from online fraud. Consumer input further helps the Symantec Phish Report Network's fight against online fraud and will aid in preventing other computers users from becoming victims."
Follow up to previous postings on ChoicePoint and data breaches, today's New York Times article, Keeping Your Enemies Close, provides a chronology of how the company has made inroads in rehabilitating its reputation.
Will Knight at New Scientist reports the research by Professor Markus Jakobsson and grad student Jacob Ratkiewicz, Indiana University, indicates "...one in 10 internet users may be lured into handing over sensitive personal information such as a credit card number, by fraudulent "phishing" emails..." and "that some survey participants may not have realised that they have been stung by a phishing scam, or may simply be too embarrassed to admit to it."
Press release: "The aim is to develop a major command that stands alongside Air Force Space Command and Air Combat Command as the provider of forces that the President, combatant commanders and the American people can rely on for preserving the freedom of access and commerce, in air, space and now cyberspace," said Secretary of the Air Force Michael W. Wynne.
"The Symantec Internet Security Threat Report offers analysis and discussion of threat activity over a six-month period. It covers Internet attacks, vulnerabilities, malicious code, phishing, spam, security risks, and future trends. The tenth version of the report, released September 25, is now available."
Press release: "In a report released today, Reps. Davis and Waxman summarize information provided to the Committee by 19 federal departments and agencies regarding the loss or compromise of personal information since January 2003. The report finds that every agency has experienced at least one such breach and that the agencies do not always know what information has been lost or how many individuals could be affected."
Key Conclusions:
Press release, October 4, 2006: "As information security concerns among consumers and other customer constituencies rise, just 29 percent of marketers say that their firm has a crisis containment plan in case of a security breach, according to findings of a major research initiative by the Chief Marketing Officer (CMO) Council. Without such a plan and other security strategies in place, companies are at risk of losing hundreds of million of dollars in market value and loss of reputation and brand trust, according to the study's findings."
Launched today, the Take a Byte Out of Cybercrime website: "Led by the beloved McGruff character, the National Crime Prevention Council, the CMO Council and FAME have joined forces to bring together one of the largest and most influential coalitions of private and public companies whose primary goal is to teach millions of consumers how to identify, report and protect themselves against cyber crime." [download the tip sheets]
Press release: "The Metropolitan Police Computer Crime Unit is investigating data recovered from a computer in the United States that was found to contain personal information from hacked computers located in the United Kingdom. We believe the data has been stolen by the use of a computer virus and it is believed more than 2,300 compromised computers in the UK consisting of 83,000 files have been targeted."
(U) Office of Inspector General Laptop Computers are Susceptible to Compromise (Unclassified and Redacted) OIG-06-58 (PDF, 48 pages), released October 2, 2006.
Press release: "On September 22, 2006, the President signed the United States' instrument of ratification for the Council of Europe Convention on Cybercrime. Today, the United States became a party to the Convention upon deposit of the instrument of ratification at the headquarters of the Council of Europe in Strasbourg, France. The Convention will enter into force for the United States on January 1, 2007. The Convention entered into force on July 1, 2004. As of September 27, 2006, there were 43 Signatories and 15 Parties to the Convention."
Press release: "Congressman Barney Frank yesterday wrote to the Chairman of the Federal Trade Commission (FTC) and representatives of the credit reporting industry asking that they look into the numerous complaints from consumers about access to credit reports and fraud alerts." [text of letter is included in this release]
"A survey of internet leaders, activists, and analysts shows that a majority agree with predictions that by 2020 [Link to The Future of the Internet II (115 pages, PDF)]:
Department of Defense Office of the Inspector General -- Audit Summary of Information Assurance Weaknesses Found in Audit Reports Issued from August 1, 2005, through July 31, 2006 - Report No. D-2006-110 (PDF) - Date: September 14, 2006.
Press release: "The U.S. Department of Homeland Security (DHS) announced today the release of the Cyber Storm Public Exercise Report. The report details key findings from Cyber Storm which was the largest and most complex multi-national, government-led cyber exercise to examine response, coordination, and recovery mechanisms to a simulated cyber event within international, federal, state, and local governments and in conjunction with the private sector."
FTC press release: "An operation that placed spyware on consumers' computers in violation of federal laws will give up more than $2 million to settle Federal Trade Commission charges. Under a stipulated final judgment and order, the defendants are permanently prohibited from interfering with a consumer's computer use, including but not limited to distributing software code that tracks consumers' Internet activity or collects other personal information, changes their preferred homepage or other browser settings, inserts new advertising toolbars or other frames onto their browsers, installs dialer programs, inserts advertising hyperlinks into third-party Web pages, or installs other advertising software code, file, or content on consumers' computers."
SEARCH, The National Consortium for Justice Information and Statistics - Collecting Evidence from a Running Computer: A Technical and Legal Primer for the Justice Community, August 2006.
Press release: Carnegie Mellon CyLab researchers create new system to address phishing fraud [ZDNet]
From the Antiphishing Working Group, the June Phishing Activity Trends Report.
Bureau of Justice Statistics, Prosecutors in State Courts, 2005: "Presents findings from the 2005 National Survey of Prosecutors, the latest in a series of data collections about the Nation's 2,300 State court prosecutors’ offices that tried felony cases in State courts of general jurisdiction. This study provides information on the number of staff, annual budget, and felony cases closed for each office. Information is also available on the use of DNA evidence, computer-related crimes, and terrorism cases prosecuted. Other survey data include special categories of felony offenses prosecuted, types of non-felony cases handled, number of felony convictions, number of juvenile cases proceeded against in criminal court, and work-related threats or assaults against office staff."
Press release, August 14, 2006: "Washington State Attorney General Rob McKenna... announced the filing of Washington's second lawsuit under the state's computer spyware act. The state's suit accuses four California-based corporations of installing software that takes control of a consumer's computer by launching aggressive and persistent pop-ups that demand payment for a movie download service."
Ponemon Institute Releases National Survey on Confidential Data at Risk
Consumer Alert: New Phishing Attack Claims to be FDIC
Industry, Government Fret Over Tactics for Fighting Data Theft, by Marcia Coyle, The National Law Journal, August 10, 2006.
StopBadware.org Blog: "We're entering a new phase here at StopBadware.org. Google—which is one of our partners—will present people with a warning before they visit websites that have been reported to StopBadware.org as sites that distribute badware. These warnings currently link to a general page on StopBadware.org, but as we finish researching sites, we'll replace the general page with one of our individual website reports (see an example here). Hopefully this next step will bring us that much closer to fulfilling our mission of providing people with reliable, objective information about downloadable applications in order to help them make better choices."
Statement of Attorney General Alberto R. Gonzales on the Passage of the Cybercrime Convention, August 6, 2006: "The Cybercrime Convention - the first of its kind - will be a key tool for the United States in fighting global, information-age crime. This treaty provides important tools in the battles against terrorism, attacks on computer networks, and the sexual exploitation of children over the Internet, by strengthening U.S. cooperation with foreign countries in obtaining electronic evidence. The Convention is in full accord with all U.S. constitutional protections, such as free speech and other civil liberties, and will require no change to U.S. laws."
Press release: "Senator Olympia J. Snowe (R-ME), Chair of the Senate Committee on Small Business and Entrepreneurship, today introduced the "Small Business Information Security Act of 2006," (S. 3786) legislation that will create the "Small Business Information Security Task Force" within the Small Business Administration to help small businesses both understand the information security challenges they face and identify resources to help meet those challenges."
Into the Breach: Security Breaches and Identity Theft/Research Report
July 2006 — "Security breaches of data files can lead to identity theft. In this AARP Public Policy Institute Data Digest, Neal Walters analyzes 244 breaches between January 1, 2005 and May 26, 2006, and finds that 40 percent were caused by hackers or insider access targeting sensitive personal information, potentially exposing 50 million individuals’ names and personal data."
GSA press release: "The U.S. General Services Administration’s (GSA) Office of Citizens Services & Communications is warning the public to avoid falling victim to a recent e-mail scheme that targets users by sending unsolicited e-mails allegedly from FirstGov, the citizen portal operated by GSA. These scam e-mails tell recipients that because of recent fraudulent activities on Money Access Online they need to confirm their account has not been stolen or hacked. The e-mails then direct recipients to click on a link and enter information related to personal credit card accounts."
EPIC: "A data breach notification bill [H.R. 3997] backed by the House Financial Services Committee drew criticisms from state law enforcement officials and a coalition of consumer groups, who said that existing state laws are more effective at protecting consumers. In a letter to House leadership signed by 48 state attorneys general, the National Association of Attorneys General stated that an effective data breach law should preserve strong consumer protections and allow states to enforce data breach laws. Consumer groups said that the Financial Data Protection Act "does nothing positive for consumers and rolls back existing state consumer protection laws."
Improved Administration Can Enhance Science and Technology Laptop Computer Security (Redacted), OIG-06-42 (PDF, 36 Pages), July 27, 2006.
Press release: "According to MarkMonitor's AntiFraud Operations Center™ (AFOC), domain-based phishing attacks now represent 73 percent of all attacks, up from 35 percent just 18 months ago." Related reference in this press release to an academic paper titled, Why Phishing Works.
The Subcommittee on Financial Institutions and Consumer Credit, chaired by Rep. Spencer Bachus (AL), held a hearing today entitled "ICANN and the Whois Database: Providing Access to Protect Consumers from Phishing." Government officials contend that access to Whois data is essential in the effort to combat cybercrimes, while privacy advocates maintain that access to data on domain name holders facilitates phishing, spam and other types of fraud.
Press release: The Computer Security Institute (CSI) with the participation of the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad today released its 2006 report citing that virus attacks are the leading cause of financial losses. The top four categories -- virus attacks, unauthorized access to networks, lost/stolen laptops or mobile hardware and theft of proprietary information or intellectual property -- according to the 2006 Computer Crime and Security Survey, account for more than 74 percent of financial loss."
AP: "Computer break-ins at the State Department that caused broad disruptions in recent weeks apparently originated in the East Asia-Pacific region, a department spokesman said Wednesday."
Review of Issues Related to the Loss of VA Information Involving the Identity of Millions of Veterans, Rpt. #06-02238-163, July 11, 2006 (78 pages, PDF)
Risky Business? How Multinationals' Outsourcing Involving Customer Data Can Lead to Identity Theft and Other Fraud, by Anita Ramasastry.
In the wake of the steady stream of news (the latest at this time is here) about stolen laptops and data breaches impacting state and federal government agencies and personnel, as well as corporations large and small, this AP article raises an important question: "...Why is so much private data allowed to be on laptops to begin with?"
Press release: "CA today announced a new security survey of 642 large North American organizations which shows that more than 84% experienced a security incident over the past 12 months and that the number of breaches continues to rise. According to the findings, security breaches have increased 17% since 2003. As a result, 54% of organizations reported lost workforce productivity; 25% reported public embarrassment, loss of trust/confidence and damage to reputation; and 20% reported losses in revenue, customers or other tangible assets. Of the organizations which experienced a security breach, 38% suffered an internal breach of security."
From the Privacy Rights Clearinghouse, A Chronology of Data Breaches Reported Since the ChoicePoint Incident, updated June 30, 2006. Breaches reported in June 2006 include the Nebraska Treasurer's Office and the Minnesota Dept. of Revenue.
Hearings were held June 27 and June 28, 2006 by the Subcommittee on Oversight and Investigations of the Committee on Energy and Commerce, on Making the Internet Safe for Kids: The Role of ISP's and Social Networking Sites.
Related government news and documents:
Press release: "CDT's report charts the important cases against spyware distributors and identifies the statutes applied, June 26, 2006."
WSJ free feature: Laptop Lockdown - Companies Start Holding Employees Responsible for Security Of Portable Devices They Use for Work
Press release: "Sen. Bob Bennett (R-Utah) and Sen. Tom Carper (D-DE), members of the Senate Banking Committee, today introduced legislation to help protect individuals and businesses from the rampant crimes of identity theft and account fraud...The new bill requires that all entities – such as financial institutions, universities, retailers and federal agencies –safeguard sensitive information, investigate security breaches and notify consumers when there’s a substantial risk of identity theft or account fraud. That means retailers that take credit card information are now covered; data brokers who compile private information are covered; and government agencies that possess nonpublic personal information are also covered."
The Consumer Privacy Legislative Forum (whose members include Google, Microsoft, Oracle, EBay Inc., Hewlett-Packard Co., Intel Corp., Sun Microsystems Inc. and Symantec Corp.) issued a statement supporting "a serious process to consider comprehensive harmonized federal privacy legislation to create a simplified, uniform but flexible legal framework."
Following up on previous postings on the VA data breach, today the GAO issued yet another related report - Information Security: Leadership Needed to Address Weaknesses and Privacy Issues at Veterans Affairs, Full text GAO-06-897T, and Highlights, June 20, 2006.
Yet another report today about the theft of a laptop from the home of a government employee, this time involving info on D.C. government personnel. The issue of why so many institutions have not implemented proper security measures, such as encryption on digital media removed from the office, remains baffling.
News.com: "Cybercrooks are organizing better and moving to more sophisticated tactics to get their hands on confidential data and turn PCs of unwitting users into bots, representatives from the U.S. Department of Justice and the U.S. Air Force Office of Special Investigations said in separate presentations here at the Computer Security Institute's NetSec event this week."
Follow-up to recent postings VA ID theft and the continuous reports on government and corporate enterprise data breaches, see this Gartner press release: Gartner Says Rash of Personal Data Thefts Shows Social Security Numbers Can No Longer Be Sole Proof of Identity for Enterprises.
Related to previous postings on the recent breach of Veterans' data that was the focus of press and Congressional scrutiny, from GAO today, this report - Veterans Affairs: Leadership Needed to Address Information Security Weaknesses and Privacy Issues, full-text GAO-06-866T, and Highlights, June 14, 2006. From the report: "For many years, significant concerns have been raised about VA's information security--particularly its lack of a robust information security program, which is vital to avoiding the compromise of government information, including sensitive personal information. Both GAO and the department's inspector general have reported recurring weaknesses in such areas as access controls, physical security, and segregation of incompatible duties."
Related government documents:
WSJ free feature: Seeking a Safer Internet - New Tools Flag Sites With Spyware, Spam - But the Technology Is Far From Perfect
Press release, June 9, 2006: "Governor George E. Pataki today signed three bills [Security Freeze Law, Disposal of Personal Records Law, Anti-Phishing Act of 2006] that will further protect New York's consumers and their privacy. These bills will allow consumers to proactively defend themselves against identity thieves, require businesses to properly discard documents and records containing personal information, and prohibit individuals from deceptively soliciting sensitive information from Internet users. They will also help prohibit the potential repercussions that many identity theft victims encounter, including the denial of loan applications, false arrest, and criminal records."
Hearing, Cyber Security Challenges at the Department of Energy, June 9, 2006. [note: links to member statements and witness testimony not yet available - after an open session, there was a closed session to discuss security issues related to a previously unreported data breach.]
Government Reform Committee Oversight Hearing, "Once More Into the Data Breach: The Security of Personal Information at Federal Agencies," June 8, 2006. "The data loss at VA is the largest by a federal agency to date, and the latest in a long string of personal information breaches in the public and private sectors, including financial institutions, data broker companies, and academic institutions."
Indiana House House Bill 1101 (HB 1101) which takes effect July 1, will "require disclosure of security breaches and encryption of data by companies holding customers' and clients' personal identification information in computer databases if it could cause identity theft, identity deception, or fraud."
Follow-up to postings on breach of veterans data, this press release from Sen. Patrick Leahy comments on the announcement that "the Social Security numbers and other personal information for as many as 2.2 million U.S. military personnel – including nearly 80 percent of our active-duty force -- were among the data the VA has lost."
Press release, May 31, 2006: "Gov. Lynch today signed Senate Bill 334, which will allows victims of identity theft to ask their credit reporting agency for a "credit freeze." Once they do, their credit reports cannot be forwarded without their consent or involvement, which will help prevent identity thieves from using people's good credit against them. A credit freeze will also prevent criminals from being able to open new lines of credit in their victims' names...The law goes into effect on Jan. 1, 2007."
Another follow-up to postings and resources for veterans impacted by recent data breach: "The FTC is advising veterans and their families to keep a close hold on their credit card numbers, bank account information, Social Security numbers, passwords, and other sensitive personal information. One technique scammers use to get this information is phishing: they send an e-mail that appears to be from a well-known company, asking recipients to verify their personal information and luring them to a Web site that looks genuine, but is bogus. Scammers can lie on the telephone, as well, to get personal information." [Link]
Follow-up to postings and resources for veterans impacted by recent data breach, this press release (includes text of letter to HHS): "Thirty organizations participating in the Consumer Coalition for Health Privacy yesterday asked U.S. Department of Health and Human Services Secretary Mike Leavitt to undertake a compliance review of the U.S. Department of Veterans Affairs pursuant to the authority granted him by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Medical diagnostic codes and disability rating information about an undisclosed number of disabled veterans were stolen last month from the home of a VA employee along with 26.5 million veterans' names, birth dates and Social Security numbers."
Press release: "A new cyber security study released today highlights the difference between perception and reality of consumers' awareness of online scams and their actual online behavior. While 87 percent of consumers polled said they were confident they could recognize fraudulent e-mails, 61 percent failed to identify a legitimate e-mail. Most respondents categorized all e-mails in the study as fake, even though one of them was legitimate. The Online Fraud Report has been sponsored by the National Cyber Security Alliance (NCSA), a central clearinghouse for cyber security awareness and education for home users, small businesses and the education community, and Bank of America."
According to the New York Times, Arizona's rapid population growth combined with a "heavy traffic in methamphetamine" are signficant factors in the state's ranking at the top of the list for ID theft complaints recorded by the FTC.
"In recognition of National Internet Safety Month (June 2006), National Criminal Justice Reference Service presents this compilation of Internet safety resources."
Follow-up to the latest extensive incident of ID theft involving government records and citizen personal data, see this OMB Memoranda M-06-15, Safeguarding Personally Identifiable Information, May 22, 2006.
Related government documents and news:
Refereed technical papers from 11 research areas are available from the WWW2006 Conference, May 23-26, 2006. Topic areas include: business success, next wave, education and science, security and health.
NIST's National Vulnerability Database: Search for Vulnerabilities - Enter vendor, software, or keyword.
Follow-up to posting yesterday, Theft of Data on Over 25 Million Veterans Renews Calls for Greater Security, this news from the government today: "Over the weekend following the recent theft of 26.5 million veterans' records, the Department of Veterans Affairs (VA) quickly put in place a call center and website to answer questions about the implications of the theft and the steps veterans can take to protect themselves from misuse of their personal information. The call center, at 1-800-FEDINFO, operates from 8:00 a.m. to 9:00 p.m. (EDT) Monday to Saturday. It can handle up to 260,000 toll-free calls a day. The latest information on VA data security is posted on Firstgov.gov, the U.S. government's official Web portal."
Related news and government documents:
Statement of Secretary of Veterans Affairs R. James Nicholson on the Status of the Veterans Data Theft (5/24/06): "I am outraged at the loss of this veterans' data and the fact an employee would put it at risk by taking it home in violation of our policies. I am also concerned about the timing of the Department's response once the burglary became known. I will not tolerate inaction and poor judgment when it comes to protecting our veterans."
5-11-06: Three-level security flaws found in Diebold touch-screens. Critical Security Alert: Diebold TSx and TS6 voting systems by Harri Hursti, for Black Box Voting, Inc. (12 pages, PDF)
Cybersecurity Enhancement and Consumer Data Protection Act of 2006 (H.R. 5318), To amend title 18, United States Code, to better assure cyber-security, and for other purposes, introduced 5/9/2006, by Rep. James F. Sensenbrenner Jr.
Solove, Daniel J. and Hoofnagle, Chris Jay, A Model Regime of Privacy Protection (Version 3.0). Illinois Law Review, Vol. 2006, p. 357, 2006.
FTC press release: "The Federal Trade Commission today told the Subcommittee on Commerce, Trade, and Consumer Protection of the House Committee on Energy and Commerce Committee that in the effort to reconcile the beneficial uses of Social Security Numbers with the threats to consumer privacy, "The challenge is to find the proper balance between the need to keep SSNs out of the hands of identity thieves, while giving businesses and government entities sufficient means to attribute information to the correct person."
Fact Sheet: The President's Identity Theft Task Force: "This task force will marshal the resources of the Federal government to crack down on the criminals who traffic in stolen identities and protect American families from this devastating crime."
"The Committee on Energy and Commerce, to whom was referred the bill (H.R. 4127) to protect consumers by requiring reasonable security policies and procedures to protect computerized data containing personal information, and to provide for nationwide notice in the event of a security breach, having considered the same, report favorably thereon with an amendment and recommend that the bill as amended do pass." [House Report 109-453 - Part 1 - Data Accountability and Trust Act (DATA), Ordered to be printed May 6, 2006]
FTC press release: "A title company that promised consumers it maintained "physical, electronic and procedural safeguards" to protect their confidential financial information, but tossed consumer home loan applications in an open dumpster, agreed to settle Federal Trade Commission charges that its inadequate storage and disposal procedures for sensitive consumer information violated federal laws. The settlement with Nations Title Agency, Inc., Nations Holding Company, and Christopher M. Likens bars deceptive claims about privacy and security policies, and requires that they implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years."
The RFID Hacking Underground, by Annalee Newitz: "They can steal your smartcard, lift your passport, jack your car, even clone the chip in your arm. And you won't feel a thing. 5 tales from the RFID-hacking underground."
Preventing Identity Theft and Data Security Breaches: The Problem With Regulation, by Clyde Wayne Crews and Brooke Oberwetter, Competitive Enterprise Institute, May 9, 2006 (24 pages, PDF)
Building and Implmenting a Successful Information Security Policy, by John J. Pak, May 8, 2006 (25 pages, PDF).
Cyber Security Industry Alliance Board Urges Congressional Leadership on Consumer Data Protection: Letter to Congressional Leadership
"The Software & Information Industry Association's Anti-Piracy Division conducts a comprehensive, industry-wide campaign to fight software and content piracy. The pro-active campaign is premised on the notion that one must balance enforcement with education in order to be effective."
Personal Information: Agencies and Resellers Vary in Providing Privacy Protections, Full-text GAO-06-609T, April 4, 2006. Highlights.
Press release: The Anti-Spyware Coalition today released two new resources to help consumers and enterprises better protect themselves against spyware and unwanted adware...The coalition's two new documents walk consumers and network operators through the steps they should be taking to protect their machines against adware, spyware and other malicious software."
Press release: "An estimated 3.6 million households, or about 3 percent of all households in the nation, learned that they had been the victim of at least one type of identity theft during a six-month period in 2004, the Justice Department’s Bureau of Justice Statistics (BJS) announced today. Forty-eight percent had experienced an unauthorized use of credit cards; 25 percent had other accounts, such as banking accounts, used without permission; 15 percent experienced the misuse of personal information and 12 percent experienced multiple types of theft at the same time. These findings represent six-month estimates based on interviews conducted from July through December 2004 for the BJS National Crime Victimization Survey."
Press release: "Federal Trade Commission Chairman Deborah Platt Majoras today issued the agency's 2006 Annual Report at the American Bar Association’s Section of Antitrust Law Spring Meeting in Washington, DC. The report, entitled "The FTC in 2006: Committed to Consumers and Competition," (62 pages, PDF) is available now on the Commission's Web site and includes sections on the FTC's competition and consumer protection missions and recent accomplishments, as well as a summary of the policy tools it uses to complement its array of law enforcement and international outreach and coordination efforts."
Social Security Numbers: More Could be Done to Protect SSNs, Full text GAO-06-586T, and Highlights. March 30, 2006.
"The Better Business Bureau (BBB) has partnered with nationally-recognized security and privacy experts to create a new toolkit to help small business owners manage security and privacy challenges. We call it Security & Privacy - Made Simpler (TM). The objective is to demystify the complexities of data security and give small businesses a non-technical roadmap to securing their customer data, and their employees' data, too."
"PhishRegistry.org is a free service provided by CipherTrust, Inc. to help businesses know when they are at risk of being phished. PhishRegistry.org monitors the content of your website and alerts you when attempts to duplicate it have been detected. Weekly reports are sent to your email address with information about suspect websites."
Privacy Rights Clearinghouse, Updated March 23, 2006: A Chronology of Data Breaches Reported Since the ChoicePoint Incident
"Thousands of visitors to StopBadware.org have shared their badware experiences with us since we launched. From their stories, we've identified and tested four applications that contain annoying or objectionable behaviors. To find out what we think of Kazaa, MediaPipe, SpyAxe, and Screensaver.com, read our reports (all in PDF):"
Information Security: Department of Health and Human Services Needs to Fully Implement Its Program, Full Report, GAO-06-267 and Highlights, February 24, 2006.
OIG-Identified Management and Performance Challenges Facing the FDIC (2005)
Press release: "Neil Holloway, president of Microsoft Europe, Middle East and Africa (EMEA), unveiled a global law enforcement campaign that will target cybercriminals behind phishing attacks. Microsoft Corp. announced that by the end of June 2006 it will have initiated legal actions on more than 100 cases in EMEA against individuals suspected of committing online fraud; 53 of these will have already started by the end of March 2006...The legal actions are linked to a larger Microsoft(R) program, the Global Phishing Enforcement Initiative (GPEI), launched by the company to coordinate and expand its many anti-phishing efforts worldwide to fight phishers through consumer protection, partnerships and prosecution."
Press release, March 16, 2006: The Federal Trade Commission today told the House Committee on Small Business, Subcommittee on Regulatory Reform and Oversight that protecting consumers' privacy rights is a top priority for the agency. Lydia Parnes, Director of the FTC's Bureau of Consumer Protection, told the Committee, "The Commission is committed to aggressive law enforcement, vigorous consumer and business education efforts, and global cooperation to safeguard the security of consumers’ personal information." To date, the agency has brought 12 data security cases, six spyware and adware cases, more than a dozen financial pretexting cases, and more than 80 spam cases.
U.S. Newswire: "The House Financial Services Committee voted today to repeal strict state notification and credit freeze laws that have helped to protect consumers from identity theft and financial fraud. These laws provide essential protections that allow consumers to prevent identity thieves from opening credit accounts in their names and require companies to inform consumers when their personal data -- such as their Social Security and credit card numbers -- have become compromised."
Press release: "Consumer confidence in conducting business and protecting personal data online is threatened every day by phishing scams. In an initiative led by the National Consumers League (NCL), law enforcement, financial services and technical industries have joined forces to combat this threat. The group today issued a "call to action" with the release of a paper outlining key recommendations that form a comprehensive plan for combating phishing more effectively."
Government Reform Committee Oversight Hearing: No Computer System Left Behind: A Review of the 2005 Federal Computer Security Scorecards, March 16, 2006.
Press release: "Attorney General Eliot Spitzer today announced a settlement to address what may have been the largest breach of privacy in internet history. The settlement with Datran Media, a leading e-mail marketer, follows an investigation that identified the improper disclosure of the personal information of more than six million American consumers."
From Viviane Reding, Member of the European Commission responsible for Information Society and Media, "Safety on the Net" (7 pages, PDF), (09/02/06).
Symantec Internet Security Threat Report, Volume IX: March 2006 Highlights.
Press release: "Citing the need to safeguard the personal information of Minnesotans, Governor Pawlenty today announced a series of proposals that will protect personal privacy and improve the way state government handles personal data...In 2005, more than 3,000 Minnesotans became the victims of identity theft according to the Federal Trade Commission.
NPR: Identity Theft - Protecting Your Good Name, February 27, 2006. (17 pages, PDF)
New York Times: Cyberthieves Silently Copy Your Passwords as You Type
FTC press release: "In the largest known compromise of financial data to date, CardSystems Solutions, Inc. and its successor, Solidus Networks, Inc., doing business as Pay By Touch Solutions, have agreed to settle Federal Trade Commission charges that CardSystems' failure to take appropriate security measures to protect the sensitive information of tens of millions of consumers was an unfair practice that violated federal law. According to the FTC, the security breach resulted in millions of dollars in fraudulent purchases. The settlement will require CardSystems and Pay By Touch to implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years."
Related documents:
New York Times: Too Many New Gadgets, Too Much Information at Risk: Loss, theft and viruses are major issues as corporate use of handheld devices and pocket PCs increases. Pre-emptive security options are available however, as this article describes.
Managing Cybersecurity Resources: A Cost-Benefit Analysis "details guidelines for using sound and measurable principles of cost-benefit analysis, as a compliment to gut instinct, to efficiently allocate and manage cybersecurity resources within your organization. Written by two globally acknowledged leaders in the increasingly critical area of cybersecurity (Lawrence A. Gordon and Martin P. Loeb), this comprehensive exploration presents:
Responding to Security Incidents on a Large Academic Network: by Jamie Riden 02/14/06 (9 pages, PDF). "This paper describes a series of security incidents on a large academic network, and the gradual evolution of measures to deal with emerging threats."
Follow-up to House Cmte. Seeks Operations Docs. from Websites Selling Cell Phone Records, "House Energy and Commerce Committee investigators have identified people behind 22 Web pages that may offer criminals, stalkers and any other paying customer the detailed records of a person's private telephone calls."
"The goal of National Computer Security Survey (NCSS) is to produce reliable national and industry-level estimates of the prevalence of computer security incidents (such as denial of service attacks, fraud, or theft of information) against businesses and the resulting losses incurred by businesses. The first national survey of thousands of businesses is being conducted in 2006. Sponsors: U.S. Department of Justice, Bureau of Justice Statistics and the U.S. Department of Homeland Security, National Cyber Security Division (NCSD)."
Related government documents:
Data Security: Federal and State Laws, February 03, 2006
UK Home Office: Updated Estimate of the of the Cost of Identity Fraud to the UK Economy, 2 February 2006 (4 pages, PDF).
The new StopBadware.org website, sponsored by the Berkman Center, the Oxford Internet Institute, with assistance from Consumer Reports WebWatch, ..."will seek to provide reliable, objective information about downloadable applications in order to help consumers to make better choices about what they download on to their computers. We aim to become a central clearinghouse for research on badware and the bad actors who spread it, and to become a focal point for developing collaborative, community-minded approaches to stopping badware."
Identity Theft Again Leads the List: "The Federal Trade Commission...released its annual report (77 pages, PDF) detailing consumer complaints about fraud and identity theft in 2005. Complaints about identity theft topped the list, accounting for 255,000 of more than 686,000 complaints filed with the agency in 2005. The complaints, filed online or at a toll-free number, are shared via a secure database with more than 1,400 federal, state, and local law enforcement agencies, and law enforcement and consumer protection agencies in Canada and Australia."
FTC press release: "Consumer data broker ChoicePoint, Inc., which last year acknowledged that the personal financial records of more than 163,000 consumers in its database had been compromised, will pay $10 million in civil penalties and $5 million in consumer redress to settle Federal Trade Commission charges that its security and record-handling procedures violated consumers' privacy rights and federal laws. The settlement requires ChoicePoint to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to establish and maintain a comprehensive information security program, and to obtain audits by an independent third-party security professional every other year until 2026."
Related Documents:
IBM press release: "More Americans anticipate falling victim to a cyber attack rather than a physical crime, reports a recent IBM survey of U.S. adults. And, despite the convenience and flexibility that online transactions offer, 37 percent of Americans will not provide credit card information online...Based on the survey, 70 percent of online shoppers will buy from a trusted Web site, while more than half of Americans are "very concerned" or "concerned" to buy from an unknown online retailer."
Press release: "The National Association of State Chief Information Officers (NASCIO), which represents the chief information officers (CIOs) of the states, and the Metropolitan Information Exchange (MIX), an association of county and municipal CIOs, have released findings from a pair of surveys of state and local government cybersecurity preparedness."
New 2005 FBI Computer Crime Survey (19 pages, PDF). "The survey, developed and analyzed with the help of leading public and private authorities on cyber security, is based on responses from a cross-section of more than 2,000 public and private organizations in four states."
"After an extensive public comment period and review, the Anti-Spyware Coalition has released the Final Working Report of the Spyware Definitions. In addition, ASC has released a number of supporting documents, including a Vendor Dispute Resolution Process, a Glossary and a set of Safety Tips for Users."
Malware - Future Trends, by Dancho Danchev,10/01/06 (26 pages, PDF).
Spy? Where?: Understanding Spyware, by Benny C. Rayner, 03/01/06 (14 pages, PDF): "Spyware is a pest no matter which way you think about it. Whether it’s causing you to have numerous pop-ups or it is consuming all of your system resources; spyware is a menace to be reckoned with."
Effectiveness and Enforcement of the CAN-SPAM Act: A Federal Trade Commission Report to Congress, December 2005 (116 pages, PDF):
"Cyber Security Industry Alliance (CSIA), the only advocacy group dedicated to ensuring the privacy, reliability and integrity of information systems, today called on the federal government to assert greater leadership in the protection our information infrastructure in 2006. Its release of the National Agenda for Government Action on Information Security (11 pages, PDF) identifies 13 specific actions required to improve information security for consumers, industry, and governments globally. As part of the Agenda, CSIA also provides a report of the government's limited progress in information security in 2005 and releases a new Digital Confidence Index that reflects the public's lack of confidence in our nation's critical infrastructure." [Link]
Press release: Phishing attacks aimed at identity theft now affect roughly one in four Americans (23%) each month, according to the second annual AOL/National Cyber Security Alliance (NCSA) Online Safety Study (11 pages, PDF). Additionally, more than two-thirds of consumers (70%) who received such scam e-mails thought they were from legitimate companies, putting them at high risk of losing sensitive personal information to identity thieves or criminals. The AOL/NCSA Online Safety Study is the largest study of its kind, sending technical experts into hundreds of typical homes to examine personal computers for known security risks and threats."
Following up on previous postings about phishing, the New York Times yesterday published an article, Gone Spear-Phishin' detailing the extent, impact and intent of cybercriminals who launch Trojans to steal the data of individuals and corporations, for both profit and personal reasons.
Press release: "Texas Attorney General Greg Abbott today sued Sony BMG Music Entertainment as the first state in the nation to bring legal action against SONY for illegal 'spyware.' The suit is also the first filed under the state's spyware law of 2005. It alleges the company surreptitiously installed the spyware on millions of compact music discs (CDs) that consumers inserted into their computers when they play the CDs, which can compromise the systems."
Related documents and resources:
From the Anti-Phishing Working Group and SRI International, the following report, commissioned by DHS, Online Identity Theft: Technology, Chokepoints and Countermeasures (58 pages, PDF).
FTC press release: "An operation that uses the lure of free lyric files, browser upgrades, and ring tones to download spyware and adware on consumers' computers has been ordered to halt its illegal downloads by a U.S. District Court at the request of the Federal Trade Commission. The court also halted the deceptive downloads of an affiliate who helped spread the malicious software by offering blogs free background music. The music code downloaded by the blogs was bundled with a program that flashed warnings to consumers who visited the blog sites about the security of their computer systems. Consumers who opted to upgrade by clicking, downloaded the spyware onto their computers."
A new, joint federal law enforcement and industry initiative to fight Internet fraud, called LooksTooGoodToBeTrue, was launched today (press release, 5 pages, PDF). "This website was developed to arm you with information so you don’t fall victim to these Internet scam artists." The site provides consumers with documentation on: Types of Fraud; Victim Stories; FAQs & Tips; Information Regarding Phishing Scams; a Fraud Risk Test; and Links to help prevent you from being scammed.
Related references:
"Microsoft has teamed up with the National Cyber Security Alliance (NCSA) to help increase Internet security through a month-long awareness-raising campaign that provides information and sponsored events for consumers, small businesses, educators, and families. This year, the National Cyber Security Awareness Month campaign begins October 1, 2005...Events for this year's campaign include conferences and workshops in several cities across the U.S. For more information and a list of events, visit the NCSA Web site."
Press release from Trend Micro, October 11, 2005: "Trend Micro, Inc., a leader in antivirus and Internet content security, today announced key findings from a study that reveals that more than 87 percent of corporate end users are aware of spyware, and yet 53 percent of survey respondents demand greater education from IT to better understand the threat. The findings indicate that awareness does not translate to knowledge, and as a result users are looking to their IT departments departments to play a more protective role."
Press release, October 12, 2005: "The Federal Financial Institutions Examination Council (FFIEC) today released updated guidance (14 pages, PDF) on the risks and risk management controls necessary to authenticate the identity of customers accessing Internet-based financial services. The guidance, Authentication in an Internet Banking Environment, was issued to reflect the many significant legal and technological changes with respect to the protection of customer information, increasing incidents of identity theft and fraud, and the introduction of improved authentication technologies and other risk mitigation strategies."
The Complete Guide to E-mail, Inc. Magazine, October 2005: "What follows is a guide to the biggest e-mail concerns, particularly security, compliance, and archiving. We'll give you tools for building an e-mail policy now, which can save headaches later, and also advice on buying the right system."
The Global State of Information Security 2005
"Kath Straub, Ph.D., CUA, Chief Scientist, looks at recent research on how people detect, and often miss, Web site fraud.."
Fine-tuning your Internet deception detectors is a brief, straight forward, practical guide to "how Internet deception works."
FTC press release: "The Federal Trade Commission today told the Senate Committee on Commerce, Science, and Transportation Subcommittee on Trade, Tourism, and Economic Development that spyware and other "malware" that is downloaded to consumers' computers without their consent can cause problems ranging from sluggish computer performance to loss of sensitive personal data. Chairman Deborah Platt Majoras said the FTC has an active program to address concerns about spyware and other malware, including research, law enforcement, and consumer education." Please note that this press release provides links to and descriptions of four cases brought by the FTC against defendants accused of distributing spyware and adware.
Related links:
How to foil a Phish, by Sarah D. Scalet, documents the creation and implementation of a successful anti-phishing response plan by an anonymous financial institution. This case study provides a range of scenarios that confront banks dealing with a bombardment of email attacks, and offers practical resources and solutions.
Related references:
Signed into law on September 30, S.B. No. 355: This bill would enact the Anti-Phishing Act of 2005. The bill would make it unlawful for any person, through the Internet or other electronic means, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the approval or authority of the business. The bill would provide certain civil remedies and civil penalties for a violation in that regard.
Symantec Internet Security Threat Report, Volume VIII, September 2005 (requires free registration): "The Symantec Internet Security Threat Report is an analysis and discussion of Internet security activity over the past six months. It covers Internet attacks, vulnerabilities, malicious code, and future trends. This edition of the Threat Report, covering the first six months of 2005, marks a shift in the threat landscape. Attackers are moving away from large, multipurpose attacks on network perimeters and towards smaller, more focused attacks on client-side targets. The new threat landscape will likely be dominated by emerging threats such as bot networks, customizable modular malicious code, and targeted attacks on Web applications and Web browsers. Unlike traditional attack activity, many current threats are motivated by profit. They often attempt to perpetrate criminal acts, such as identity theft, extortion, and fraud."
"OnGuardOnline.gov provides practical tips from the federal government and the technology industry to help you be on guard against Internet fraud, secure your computer, and protect your personal information."
How to Combat Spyware in Corporate Environments - "A vendor contribution from Panda Soft on Spyware...Spyware downloaded to companies can steal confidential information, reduce the performance of the IT infrastructure, due to the resources used by non work-related activity and loss of employee productivity, who have to deal with changes to system settings and unwanted advertisements." (20 pages, PDF)
The Global State of Information Security 2005: "A worldwide study by CIO and PricewaterhouseCoopers reveals a digital landscape ablaze, with thousands of security leaders fighting the flames. But amid the uncertainty and crisis management, there’s an oasis of strategic thinking."
EPIC reports that "the Fair Credit Reporting Act's guarantee of free credit reports takes full effect today, and now residents of all states can gain access to a free copy of their credit report from all three of the big consumer reporting agencies by visiting annualcreditreport.com or by calling 1-877-322-8228. You can monitor your credit free by requesting one of your three credit reports every four months. For more information, see EPIC's Fair Credit Reporting Act Page."
Related reference:
Understanding credit reports requires homework, patience, By Patricia Sabatini, Pittsburgh Post-Gazette.
Webroot Software released their State of Spyware Report today (free but requires registration), which states in part that "...the number of websites distributing spyware has quadrupled since the beginning of 2005 to an astonishing 300,000 unique URLs." [press release] In addition, 80% of corporate computers are infected with malicious software, which can take the form of trojans, spyware or adware.
This free feature today from the Wall Street Journal introduced me to a phrase that describes a new and virulent wave of web email scams, referred to as "spear phishing." Recipients are government and corporate employees targeted by hackers, posing as institution members, seeking personal data. Efforts are described which try to train employees to recognize these attacks and prevent data breaches.
Press release from Unisys: "Survey results from Unisys Corporation launched [August 3, 2005] reveal that UK consumers' apathetic attitude to fraud could be helping to perpetuate the rapidly growing identity theft industry, which is now estimated to be costing UK businesses £1.3 billion per year."
"The new National Vulnerability Database (NVD) from the National Institute of Standards and Technology (NIST) will make it easier for system administrators and other security professionals to learn about vulnerabilities and how to remediate them. The NVD is a comprehensive database that integrates all publicly available U.S. government resources on vulnerabilities and provides links to many industry resources. NVD is built upon a dictionary of standardized vulnerability names and descriptions called Common Vulnerabilities and Exposures." [NIST Alert]
From the New York Times, The Rise of the Digital Thugs chronicles the under-reported, yet growing, threat to corporations from "cyber extortionists" seeking bribes in return for withholding data and information obtained by breaching networks.
Related reference:
IBM press release: "IBM reported that virus-laden emails and criminal driven security attacks increased by 50 percent in the first half of 2005 - underscored by a significant rise in 'customized' attacks on the government, financial services, manufacturing and healthcare industries. This substantial increase, along with a decrease in less profitable threats, such as spam and simple computer viruses, indicates a growth in targeted attacks against specific organizations and industries -- apparently created with the purpose of stealing critical data, identities or extorting money."
The U.S. Senate Special Committee on Aging held a hearing on July 27, Old Scams – New Victims: Breaking The Cycle of Victimization.
"The focus of this white paper is to describe the basic workings of a new capability, the Microsoft® Phishing Filter, that will be included in the upcoming release of Internet Explorer 7. The Microsoft Phishing Filter will not only help provide consumers with a dynamic system of warning and protection against potential phishing attacks, but — more important — it will also benefit legitimate ISPs and Web commerce site developers that want to try to ensure that their brands are not being 'spoofed' to propagate scams and that their legitimate outreach to customers is not confusing or misinterpreted by filtering software." [the document is in Word, and available at this Link]
From the Univ. of Maryland Center for Public Policy and Private Enterprise, The CSI/FBI Computer Crime and Security Survey, by Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn and Robert Richardson, 2005 (26 pages, PDF).
On July 20, the Privacy Rights Clearinghouse updated their Chronology of Data Breaches Reported Since the ChoicePoint Incident, which have impacted more than 50 million individuals.
Press release from the Progress & Freedom Foundation: "Notification Doesn't Benefit Consumers: State and Federal lawmakers should proceed with caution when considering notification legislation addressing the perceived growth of data security breaches, according to a new paper released by The Progress & Freedom Foundation. An Economic Analysis of Notification Requirements for Data Security Breaches (19 pages, PDF), authored by Senior Fellow and VP for Research Thomas Lenard and Adjunct Fellow Paul Rubin, finds the costs of such notifications to businesses and consumers are likely to be substantially higher than the benefits."
Related references:
Alert Overview: "The United States Computer Emergency Readiness Team (US-CERT) has received reports of an email based technique for spreading trojan horse programs. A trojan horse is an attack method by which malicious or harmful code is contained inside apparently harmless files. Once opened, the malicious code can collect unauthorized information that can be exploited for various purposes, or permit computers to be used surreptitiously for other malicious activity. The emails are sent to specific individuals rather than the random distributions associated with a phishing attack or other trojan activity...These attacks appear to target US information for exfiltration. This alert seeks to raise awareness of this kind of attack, highlight the important need for government and critical infrastructure systems owners and operators to take appropriate measures to protect their data, and provide guidance on proper protective measures."
"The Anti-Spyware Coalition has released the first draft of the consensus document Spyware Definitions and Supporting Documents for a 30 day public comment period."
A press release on the new Pew Internet and American Life Project Report released this afternoon: "Spyware and the threat of unwanted programs being secretly loaded onto computers are becoming serious threats online. Nine out of ten internet users say they have adjusted their online behavior out of fear of falling victim to software intrusions. Unfortunately, many internet users' fears are grounded in experience - 43% of internet users, or about 59 million American adults, say they have had spyware or adware on their home computer. Although most do not know the source of their woes, 68% of home internet users, or about 93 million American adults, have experienced at least one computer problem in the past year that are consistent with problems caused by spyware or viruses."
Press release: "...the Personal Data Privacy and Security Act of 2005, legislation...would help consumers better protect the privacy of their personal information in the face of recurrent data security breaches across the country..." Note that the press release includes: key features and a summary of the Specter-Leahy legislation, Senator Leahy's statements on the introduction of the bill, and a detailed section-by-section summary of the bill.
Text of the bill, 91 pages, PDF
The cover story of the July 4, 2005 issue of Newsweek is on ID theft. Following are links to several articles from the issue, as well as a link to a relevant article from the New York Times Sunday Week in Review:
From CNN Money, ID data breaches: as rampant as it seems documents the circumstances of the most recently reported incident of hacking, called skimming, that involved the illegal acquisition and storage of credit card data, the exact impact of which still has been not fully disclosed apparently due to the ongoing investigation.
Related references:
On Thursday, June 16, 2005, the Senate Commerce Committee held a Full Committee hearing to examine federal legislative solutions to data breach and identity theft.
From the Cyber Security Industry Alliance press release on the new survey: "More than 90 percent of voters see identity theft and spyware as serious problems with 71 percent believing new laws from Congress are required to protect consumer security. Today, CSIA released the results of a nationwide survey of voters dedicated to Internet safety issues."
As a follow-up to my previous posting, NY AG Sues Net Marketer For Installing Spyware on Millions of PCs, see this press release dated June 14, 2005:
S. 1216, Official Title: A bill to require financial institutions and financial service providers to notify customers of the unauthorized use of personal financial information, and for other purposes. Introduced June 8, 2005.
Information Security: Emerging Cybersecurity Issues Threaten Federal Information Systems GAO-05-231, May 13, 2005. Highlights.
The Scramble to Protect Personal Information, from today's New York Times, addresses the issue of significant vulnerabilities in the transfer mechanisms used for financial data, which have resulted in numerous recent headline grabbing reports on the loss and theft of personal data impacting millions of consumers.
Two articles worth reading on state and federal efforts to regulate data brokers in response to the continuing cascade of system breaches, thefts, loss of tapes/drives, and leaks resulting in the release of sensitive personal data: from the Washington Post (reg. req'd), States Keep Watchful Eye on Personal-Data Firms, and from PC World, Policing Information Brokers, the Sequel.
From EPIC, June 1, 2005: "Today, residents of eleven southern states can gain access to a free copy of their credit report from all three of the big consumer reporting agencies by visiting annualcreditreport.com or by calling 1-877-322-8228."
Press release from the FTC, June 1, 2005: "Beginning today, a new federal rule will require businesses and individuals to take appropriate measures to dispose of sensitive information derived from consumer reports. Any business or individual who uses a consumer report for a business purpose is subject to the requirements of the Disposal Rule, a part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA), which calls for the proper disposal of information in consumer reports and records to protect against unauthorized access to or use of the information."
Consumer Reports WebWatch Investigations - Wireless Networks Offer Flexibility, Potential Snooping, offers a quick overview of security issue and makes recommendations on enabling safety solutions for home and on the road.
A Wired article reports that the anonymous youths suspected of having hacked LexisNexis claim to have acted on whim rather than with the objective to profit from the use of personal information they accessed.
From the Privacy Rights Clearinghouse, an update today to their report, A Chronology of Data Breaches Reported Since the ChoicePoint Incident
FTC press release today: FTC, Partners Launch Campaign Against Spam "Zombies": "The Federal Trade Commission and 35 government partners from more than 20 countries have targeted the technology trick used by illegal spammers to tap into consumers' home computers and use them to send millions of pieces of illegal spam. Spammers use hidden software that allows them to hijack consumers' home computers and route spam through them. By routing their emails through "zombie" computers, the spammers are able to hide the true origin of the spam from consumers and make it more difficult for law enforcement to find them. Consumers often do not discover that they, themselves, have been sending spam."
From today's Washington Post: Computers Seized in Data-Theft Probe - Federal Investigators Remove PCs, Discs From Several Locations; LexisNexis Break-In Linked to Paris Hilton Phone Hacking
The U.S. Secret Service and Carnegie Mellon University Software Engineering Institute's CERT® Coordination Center (CERT/CC) announced the findings of the latest Insider Threat Study: Computer Sabatoge in Critical Infrastructure Sectors (45 pages, PDF).
The Internet Spyware Prevention Act of 2005 (I-SPY) Prevention Act of 2005 was approved yesterday by the House Judiciary Committee.
From today's WSJ free features, 'Evil Twins' and 'Pharming' - Hackers Use Two New Tricks To Steal Online Identities; Scams Are Harder to Detect.
Anti-Spyware Tips And Tricks - "Get the straight dope from IT managers and security consultants about the best anti-spyware products, links to favorite anti-spyware information and software, how to tell if your system is infected, and what to do about it if it is."
Press release: Microsoft to Deliver Automated, All-in-One PC Health Service for Consumers
Senate Commerce Committee on Spyware, May 11 2005
Press release from Sen. Charles Schumer: "DSW, ChoicePoint, Lexis-Nexis, Westlaw – Just the Recent Examples of Egregious Loopholes Which Are Compromising People's Personal Information."
Declan McCullagh interviewed Harvard net researcher extraordinare Ben Edelman about his ongoing work to identify and inform the public about spyware and adware.
Related reference:
From Wired, this article Your Identity, Open to All clearly elucidates the privacy issues associated with signficantly increased accessibility to personal data on the web that is aggregated from public domain sources. Questions about the accuracy of this data, its timeliness, the reliability of the sources from which it is extrapolated, and the reasons for making it available are of critical importance in the context of increasing concerns related to cybercrimes, ID theft, privacy and availability of e-records to the public.
From the WSJ Free Features today, Tech-Savvy Blackmailers Hone A New Form of Extortion
Press release from May 3, 2005: "Results from the 2005 E-Crime Watch survey, conducted among security executives and law enforcement personnel, by CSO magazine in cooperation with the United States Secret Service and the Carnegie Mellon University Software Engineering Institute's CERT(R) Coordination Center, reveals the fight against electronic crimes (e-crimes) may be paying off."
Press release from May 3, 2005: "Webroot Software, the leading provider of anti-spyware software and other security technologies for consumers and enterprises, today released the anti-spyware industry's first comprehensive report on spyware, The State of Spyware Report (reg. req'd), an in-depth
review and analysis of the impact of spyware, adware and unwanted software on consumers and enterprises."
Committee on Financial Services hearing entitled "Assessing Data Security: Preventing Breaches and Protecting Sensitive Information," May 04, 2005.
Press release: "ChoicePoint today announced its acquisition of Magnify, Inc., a provider of fraud detection and analytics solutions to the insurance and financial services industries...Magnify's advanced technology and modeling expertise helps customers identify suspicious activity, route information and determine which actions maximize financial return."
Press release: "More than 600 new Internet security vulnerabilities were discovered during the first quarter of 2005, according to the SANS Institute and a team of experts from industry and government. This group has identified the most critical vulnerabilities disclosed in Q1 that pose critical risks that need to be addressed through patching and other defensive actions. Individuals and organizations that do not correct these problems face a heightened threat that remote, unauthorized hackers will take control of their computers and use them for identity theft, for industrial espionage, or for distributing spam.."
Press release: "Attorney General Eliot Spitzer today sued one of the nation's leading internet marketing compan