News release: "The Federal Trade Commission today told the U.S. Senate Committee on Commerce, Science and Transportation that the agency has stepped up efforts to protect consumers affected by the economic downtown, and that additional authority would make the agency even more effective. The testimony presented by FTC Chairman Jon Leibowitz described the agency’s efforts to prosecute financial fraud and deception, including working with states to bring hundreds of cases against mortgage relief scams in 2009. The testimony also discussed the FTC’s rulemaking and consumer education initiatives, how additional authority will enhance the agency’s effectiveness, and the FTC’s perspective on recent proposals to create a consumer financial protection agency as part of a broader reform of the financial services regulatory system."

Annual Threat Assessment of the US Intelligence Community for the Senate Select Committee on Intelligence, Dennis C. Blair, Director of National Intelligence, February 2, 2010

The quarterly APWG (AntiPhishing Working Group) Phishing Activity Trends Report analyzes phishing attacks reported to the APWG by its member companies, its Global Research Partners, through the organization’s website and by email submissions. APWG also measures the evolution, proliferation and propagation of crimeware drawing from the research of our member companies. In the last half of this report you will find tabulations of crimeware statistics and related analyses."

News release: Arab States define key ICT development priorities Broadband, digital broadcasting, open source software, Arab digital content and cybersecurity are main objectives. "The Arab States Regional Preparatory Meeting (RPM) for the International Telecommunications Union (ITU) World Telecommunication Development Conference 2010 (WTDC-10) concluded on Tuesday, 19 January in Damascus, Syrian Arab Republic, with delegates reaching consensus on regional strategies to foster the development of information and communication technologies (ICTs)."

• Information Society Statistical Profiles 2009: Arab States - "Over the past decade, the Arab States region has made significant progress when it comes to ICT access and use. In the mobile market, a number of national operators have expanded their services to customers across and beyond the region. Mobile telephony has grown at an annual rate of 55 per cent, reaching a penetration level of 63 per cent at the end of 2008. There are now 16 Internet users per 100 inhabitants, compared to only 4 in 2003. Nevertheless, compared to other regions, Internet usage, and particular broadband access, is still rather limited and out of the reach of most people in the region, in particular those living in rural areas."
  
• See also Presentation, Information Society Statistical Profiles 2009 Arab States, Damascus, Syria, 17-19 January 2010

News release: "McAfee, Inc. revealed [at the World Economic Forum Annual Meeting 2010] the staggering cost and impact of cyberattacks on critical infrastructure such as electrical grids, oil and gas production, telecommunications and transportation networks. A survey of 600 IT security executives from critical infrastructure enterprises worldwide showed that more than half (54%) have already suffered large scale attacks or stealthy infiltrations from organized crime gangs, terrorists or nation-states. The average estimated cost of downtime associated with a major incident is $6.3 million per day. The report, In the Crossfire: Critical Infrastructure in the Age of Cyberwar, commissioned by McAfee and authored by the Center for Strategic and International Studies (CSIS), also found that the risk of cyberattack is rising. Despite a growing body of legislation and regulation, more than a third of IT executives (37%) said the vulnerability of their sector had increased over the past 12 months and two-fifths expect a major security incident in their sector within the next year. Only 20% think their sector is safe from serious cyberattack over the next five years."

OPNAV NOTICE 5400, January 11, 2010: "Action will establish U. S. Fleet Cyber Command as an echelon II command to serve as the Navy Component Commander to United States Cyber Command upon its establishment. Interim reporting will be to United States Strategic Command. Command will provide for operational employment of the Navy's cyber, network operations, information operations, cryptologic and space forces, and serve as the Navy's Service Cryptologic Component Commander to the National Security Agency. U.S. Tenth Fleet. will be re-commissioned to control operations supporting U. S. Fleet Cyber Command.

Christian Science Monitor: "At least three US oil companies were the target of a series of previously undisclosed cyberattacks that may have originated in China and that experts say highlight a new level of sophistication in the growing global war of Internet espionage. The oil and gas industry breaches, the mere existence of which has been a closely guarded secret of oil companies and federal authorities, were focused on one of the crown jewels of the industry: valuable “bid data” detailing the quantity, value, and location of oil discoveries worldwide, sources familiar with the attacks say and documents obtained by the Monitor show. The companies – Marathon Oil, ExxonMobil, and ConocoPhillips – didn’t realize the full extent of the attacks, which occurred in 2008, until the FBI alerted them that year and in early 2009. Federal officials told the companies proprietary information had been flowing out, including to computers overseas, a source familiar with the attacks says and documents show. The data included e-mail passwords, messages, and other information tied to executives with access to proprietary exploration and discovery information, the source says."

"This 2009 Ponemon Institute 2009 Annual Study: Cost of a Data Breach - Understanding Financial Impact, Customer Turnover, and Preventive Solutions examines the costs incurred by 45 organizations after experiencing a data breach. Results were not hypothetical responses; they represent the cost estimates of activities resulting from the actual data loss incidents. This is the fifth annual survey of this issues. Breaches included in the survey included ranged from approximately 5,000 records to more than 101,000 records from 15 different industry sectors."

Global Risks 2010 - A Global Risk Network Report. A World Economic Forum Report in collaboration with Citi, Marsh & McLennan Companies (MMC), Swiss Re, Wharton School Risk Center, Zurich Financial Services. January 2010.

Official Google Blog:

Annual Report PandaLabs 2009

News release: "McAfee Inc. unveiled its 2010 Threat Predictions report. McAfee Labs believes cybercriminals will target social networking sites and third-party applications, use more complex Trojans and botnets to build and execute attacks, and take advantage of HTML 5 to create emerging threats. McAfee Labs also predicts 2010 will be a good year for law enforcement’s fight against cybercrime...Facebook, Twitter, and third-party applications on these sites are rapidly changing the criminal toolkit, giving cybercriminals new technologies to work with and hot spots of activity that can be exploited. Users will become more vulnerable to attacks that blindly distribute rogue apps across their networks, and cybercriminals will take advantage of friends trusting friends to get users to click on links they might otherwise treat cautiously. The use of abbreviated URLs on sites like Twitter make it even easier for cybercriminals to mask and direct users to malicious Web sites. McAfee Labs predicts that cybercriminals will increasingly use these tactics across the most popular social networking sites in 2010."

Security in the Ether - Information technology's next grand challenge will be to secure the cloud--and prove we can trust it. By David Talbot, Technology Review, January/February 2010 [Dan Mitchel]

News release: "Albert Gonzalez, 28, of Miami, pleaded guilty today to conspiring to hack into computer networks supporting major American retail and financial organizations, and to steal data relating to tens of millions of credit and debit cards, announced Assistant Attorney General of the Criminal Division Lanny A. Breuer, U.S. Attorney for the District of New Jersey Paul J. Fishman, U.S. Attorney for the District of Massachusetts Carmen Milagros Ortiz and Director of the U.S. Secret Service Mark Sullivan. Gonzalez, aka “segvec,” “soupnazi” and “j4guar17,” pleaded guilty to two counts of conspiracy to gain unauthorized access to the payment card networks operated by, among others, Heartland Payment Systems, a New Jersey-based card processor; 7-Eleven, a Texas-based nationwide convenience store chain; and Hannaford Brothers Co. Inc., a Maine-based supermarket chain. The plea was entered in federal court in Boston before U.S. District Court Judge Douglas P. Woodlock. The case is one of the largest data breaches ever investigated and prosecuted in the United States."

News release: "The Federal Trade Commission has launched its Web site and blog for National Consumer Protection Week 2010, which will be held March 7-13. Consumer.gov/ncpw, encourages people to learn about their rights as consumers, and promotes free resources to help them protect their privacy, manage money and debt, avoid identity theft, understand credit and mortgages, and steer clear of frauds and scams. The twelfth annual consumer protection week is a partnership between the FTC and other government agencies and consumer groups. This year’s theme, Dollars & Sense: Rated “A” for All Ages, highlights the importance of using good consumer sense at every stage of life – from grade school to retirement. The site for the event features a page for kids and parents, and highlights games, videos, and other Web sites that teach kids practical lessons about the role of business and government in their everyday lives."

News release: "The Federal Trade Commission today issued a Fraud Forum staff report that examines more effective ways to protect consumers from fraudulent schemes and focus the collective knowledge and experience of forum participants to fight fraud. The February 2009 Forum was attended by academics, consumer advocates, industry representatives, and state and federal law enforcers. The Fraud Forum Report summarizes information presented at the event during panel and small group discussions on a range of issues including: the psychology of scammers and their victims, fraud statistics, under-reported fraud, and the role of private industry in detecting and preventing fraud."

DRAFT Security Requirements for Cryptographic Modules (Revised Draft): "The Revised Draft FIPS 140-3 is the second public draft of NIST’s proposed revision of FIPS 140-2. The Revised Draft was developed using the comments received on the first public draft, which was posted for public review and comment on July 13, 2007, and the FIPS 140-3 Software Security Workshop held on March 18, 2008. While the 2007 Draft proposed 5 levels of security, the Revised Draft FIPS 140-3 reverts to 4 levels of security as currently specified in FIPS 140-2. In contrast to the 2007 Draft, the Revised Draft also reintroduces the notion of firmware cryptographic module and defines the security requirements for it, limits the overall security level for software cryptographic modules to Security Level 2, and removes the formal model requirement at Security Level 4. Differences with the current FIPS 140-2 standard include limiting the overall security level for software cryptographic modules to Security Level 2, requirements for mitigation of non-invasive attacks at higher security levels, elimination of the requirement for formal modeling at Security Level 4, modified conditions for pre-operational/power-on self-tests, and strengthened integrity testing."

News release: "A new booklet released today by the Federal Trade Commission and other government agencies helps parents and teachers steer kids safely through the online and mobile phone worlds. Net Cetera: Chatting with Kids About Being Online was unveiled...by FTC Chairman Jon Leibowitz, U.S. Secretary of Education Arne Duncan, and Federal Communications Commission Chairman Julius Genachowski."

News release: "The Federal Trade Commission has issued a report to Congress examining how the agency has used the expanded law enforcement authority Congress provided in the U.S. SAFE WEB Act to protect American consumers since the Act was signed into law on December 22, 2006. The SAFE WEB Act authorizes the FTC to share information and work cooperatively with foreign law enforcement agencies to protect consumers from cross-border harm."

"The Federal Trade Commission [is hosting] a series of day-long public roundtable discussions to explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data. Such practices include social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The goal of the roundtables is to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation." Via EPIC, The second privacy roundtable will be held on Data Privacy Day - January 28, 2010 - at the University of California, Berkeley School of Law.

Implementing the Obama Cyber Security Strategy via the ISA Social Contract Model: "The Internet Security Alliance (ISA) report aimed at taking the Obama Administration’s Cyberspace Policy Review document to the next level. The report emphasizes the need to focus on the economics of cyber security."

"The United States is increasingly dependent on information and information technology for both civilian and military purposes, as are many other nations. Although there is a substantial literature on the potential impact of a cyberattack on the societal infrastructure of the United States, little has been written about the use of cyberattack as an instrument of U.S. policy. Cyberattacks--actions intended to damage adversary computer systems or networks--can be used for a variety of military purposes. But they also have application to certain missions of the intelligence community, such as covert action. They may be useful for certain domestic law enforcement purposes, and some analysts believe that they might be useful for certain private sector entities who are themselves under cyberattack. This report considers all of these applications from an integrated perspective that ties together technology, policy, legal, and ethical issues. Focusing on the use of cyberattack as an instrument of U.S. national policy, Technology, Policy, Law and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities explores important characteristics of cyberattack. It describes the current international and domestic legal structure as it might apply to cyberattack, and considers analogies to other domains of conflict to develop relevant insights. Of special interest to the military, intelligence, law enforcement, and homeland security communities, this report is also an essential point of departure for nongovernmental researchers interested in this rarely discussed topic."

"New research quantifies the primary factors driving the cost of a lost or stolen laptop. Learn from Intel IT’s best practices."

Global Fraud Report Annual Edition 2009/2010

• 401(K) Plans: Several Factors Can Diminish Retirement Savings, but Automatic Enrollment Shows Promise for Increasing Participation and Savings, GAO-10-153T, October 28, 2009
• Higher Education and Disability: Education Needs a Coordinated Approach to Improve Its Assistance to Schools in Supporting Students, GAO-10-33, October 28, 2009
• Human Capital: Monitoring of Safeguards and Addressing Employee Perceptions Are Key to Implementing a Civilian Performance Management System in DOD, GAO-10-102, October 28, 2009
• Next Generation Air Transportation System: FAA Faces Challenges in Responding to Task Force Recommendations, GAO-10-188T, October 28, 2009
• Critical Infrastructure Protection: Current Cyber Sector-Specific Planning Approach Needs Reassessment, GAO-09-969, September 24, 2009

Evaluation Report, The Department's Unclassified, Cyber Security Program - 2009. DOE/IG-0828 October 2009

News release: "ChoicePoint, Inc., one of the nation’s largest data brokers, has agreed to strengthened data security requirements to settle Federal Trade Commission charges that the company failed to implement a comprehensive information security program protecting consumers’ sensitive information, as required by a previous court order. This failure left the door open to a data breach in 2008 that compromised the personal information of 13,750 people and put them at risk of identify theft. ChoicePoint has now agreed to a modified court order that expands its data security assessment and reporting duties and requires the company to pay $275,000. In April 2008, ChoicePoint (now a subsidiary of Reed Elsevier, Inc.) turned off a key electronic security tool used to monitor access to one of its databases, and for four months failed to detect that the security tool was off, according to the FTC. During that period, an unknown person conducted unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers. The searches continued for 30 days. After discovering the breach, the company brought the matter to the FTC’s attention."

Cyberdeterrence and cyberwar, by Martin C. Libicki: "This monograph presents the results of a fiscal year 2008 study, “Defining and Implementing Cyber Command and Cyber Warfare.” It discusses the use and limits of power in cyberspace, which has been likened to a medium of potential conflict, much as the air and space domains are. The study was conducted to help clarify and focus attention on the operational realities behind the phrase “fly and fight in cyberspace.” The basic message is simple: Cyberspace is its own medium with its own rules. Cyberattacks, for instance, are enabled not through the generation of force but by the exploitation of the enemy’s vulnerabilities. Permanent effects are hard to produce. The medium is fraught with ambiguities about who attacked and why, about what they achieved and whether they can do so again. Something that works today may not work tomorrow (indeed, precisely because it did work today). Thus, deterrence and warfighting tenets established in other media do not necessarily translate reliably into cyberspace. Such tenets must be rethought. This monograph is an attempt to start this rethinking."

National Identity Theft Prevention Week - UK's Fraud Prevention Service resources:

• Practical Guide To Identity Fraud Prevention For Business
  
• A Quick Reference Guide Leaflet
  
• Protecting your Information Checklist
  
• Personal Advice: A Quick Reference Guide Leaflet
  
• The Anonymous Attacker, A special report on
  Identity Fraud and Account Takeover, October 2009

FBI news release: "The largest number of defendants ever charged in a cyber crime case have been indicted in a multinational investigation conducted in the United States and Egypt that uncovered a sophisticated “phishing” operation that fraudulently collected personal information from thousands of victims that was used to defraud American banks. [October 7, 2009], authorities in several United States cities arrested 33 of 53 defendants named in an indictment returned last week by a federal grand jury in Los Angeles. Several defendants charged in the indictment are being sought this morning by law enforcement. Additionally, authorities in Egypt have charged 47 defendants linked to the phishing scheme. The United States government is extremely grateful for the extraordinary assistance provided by the Egyptian government in this matter."

"The U.S. is facing a cyber war. Foreign powers, criminal groups, hackers, and terrorist organizations have launched cyber attacks on the White House, Pentagon, State Department, and New York Stock Exchange; stolen data from the Pentagon’s fighter aircraft; and hacked into the nation’s electrical grid. There were millions of attempts to penetrate defense digital networks in 2008. In 2009, the General Accountability Office reported weaknesses in the capabilities of 23 of 24 federal agencies to detect or prevent cyber attacks. President Obama declared cybersecurity to be one of the nation’s most serious economic and security challenges. The federal government needs a coordinated, sustained effort to build the capability and caliber of the government’s cybersecurity workforce to combat these threats and ensure the nation’s safety. Booz Allen Hamilton and the Partnership for Public Service examined the state of the federal cybersecurity workforce by interviewing federal experts, examining public testimony and reports, holding focus groups, and surveying chief information officers (CIOs), chief information security officers (CISOs), and human resource professionals at 18 federal agencies. Results of this research were published in the study, Cyber In-Security: Strengthening the Federal Cybersecurity Workforce."

• Information Security: Cyber Threats and Vulnerabilities Place Federal Systems at Risk, GAO-09-661T, May 5, 2009
  
• "Department of Homeland Security (DHS) Secretary Janet Napolitano...kicked off National Cybersecurity Awareness Month by announcing the Department’s new authority to recruit and hire [up to 1,000] cybersecurity professionals across DHS over the next three years—established to help fulfill the Department’s broad mission to protect the nation’s cyber infrastructure, systems and networks."
  
• US-CET: Cyber Security Tips describe and offer advice about common security issues for non-technical computer users
Permanent Link

UK Cybercrime Report 2009

National Cybersecurity Awareness Month: "October marks the sixth annual National Cybersecurity Awareness Month sponsored by the Department of Homeland Security. The theme for National Cybersecurity Awareness Month 2009 is “Our Shared Responsibility” to reinforce the message that all computer users, not just industry and government, have a responsibility to practice good “cyber hygiene” and to protect themselves and their families at home, at work and at school. Americans can follow a few simple steps to keep themselves safe online. By doing so, you will not only keep your personal assets and information secure but you will also help to improve the overall security of cyberspace."

• How You Can Contribute to Cybersecurity Awareness
  
• Cybersecurity Awareness Events 2009
  
• Cybersecurity Resources

In following this January 9, 2009 memo, Legal Issues Relating to the Testing, Use and Deployment of an Intrusion-Detection System (EINSTEIN 2.0) to Protect Unclassified Computer Networks in the Executive Branch, this DOJ memo released September 18, 2009: Legality of Intrusion-Detection System To Protect Unclassified Computers Networks In Executive Branch - "Operation of the EINSTEIN 2.0 intrusion-detection system complies with the Fourth Amendment to the Constitution, title III of the Omnibus Crime Control and Safe Streets Act of 1968, the Foreign Intelligence Surveillance Act, the Stored Communications Act, and the pen register and trap and trace provisions of chapter 206 of title 18, United States Code, provided that certain log-on banners or computer-user agreements are consistently adopted, implemented, and enforced by executive departments and agencies using the system. Operation of the EINSTEIN 2.0 system also does not run afoul of state wiretapping or communications privacy laws."

"reCAPTCHA is a free CAPTCHA service that helps to digitize books, newspapers and old time radio shows...A CAPTCHA is a program that can tell whether its user is a human or a computer. You've probably seen them — colorful images with distorted text at the bottom of Web registration forms. CAPTCHAs are used by many websites to prevent abuse from "bots," or automated programs usually written to generate spam. No computer program can read distorted text as well as humans can, so bots cannot navigate sites protected by CAPTCHAs."

News release: "Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, ID-Conn., and Ranking Member Susan Collins, R-Me., Sunday said the latest trend in cybercrime is directed at small to medium sized companies that have been robbed of both data and dollars...The thieves steal in amounts under $10,000 to avoid triggering a bank report required by anti-money laundering law. The malware is so well written that the traffic seems to be coming from an authorized computer – and possibly is a legitimate computer that has been commandeered. The money is then transferred to “money mules” who may have been recruited over internet job boards or who have posted resumes on a job listing serviceThe Committee will hold a hearing September 14, 2009, Cyber Attacks: Protecting Industry Against Growing Threats, to examine this new trend, and the Senators plan to introduce broad cyber security legislation later this fall that will improve cyber security in the private sector."

Follow up to August 1, 2009 posting - Alleged International Hacker Indicted for Massive Attack on U.S. Retail and Banking Networks - today's news release: "An international computer hacker pleaded guilty today to multiple charges relating to hacking activity and credit card fraud, announced Assistant Attorney General of the Criminal Division Lanny A. Breuer, Acting U.S. Attorney for the District of Massachusetts Michael Loucks, U.S. Attorney for the Eastern District of New York Benton J. Campbell and Director of the U.S. Secret Service Mark Sullivan. More than 40 million credit and debit card numbers were stolen from major U.S. retailers as a result of the hacking activity. Albert Gonzalez, 28, of Miami, pleaded guilty today to 19 counts of conspiracy, computer fraud, wire fraud, access device fraud and aggravated identity theft relating to hacks into numerous major U.S. retailers including TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority. Gonzalez was indicted in August 2008 in the District of Massachusetts on charges related to these hacks."

"PandaLabs issued a release on the proliferation of identity theft malware during times of economic crisis. Our research found that the number of users affected by malware designed for identity theft has increased 600 percent this year compared to the same time in 2008. PandaLabs receives nearly 37,000 samples of new viruses, worms, Trojans and other types of Internet threats each day. Of these, 71 percent are Trojans, mostly aimed at stealing bank details or credit card numbers, as well as passwords for other commercial services. Between January and July 2009, PandaLabs received 11 million new threats, approximately 8 million of which were Trojans. This is in clear contrast, for example, to the average of 51 percent of new Trojans that PandaLabs received in 2007."

News release: "Albert Gonzalez, 28, of Miami, Fla., was indicted today for conspiring to hack into computer networks supporting major American retail and financial organizations, and stealing data relating to more than 130 million credit and debit cards, announced Assistant Attorney General of the Criminal Division Lanny A. Breuer, Acting U.S. Attorney for the District of New Jersey Ralph J. Marra Jr. and U.S. Secret Service Assistant Director for Investigations Michael Merritt...The indictment, which details the largest alleged credit and debit card data breach ever charged in the United States, alleges that beginning in October 2006, Gonzalez and his co-conspirators researched the credit and debit card systems used by their victims; devised a sophisticated attack to penetrate their networks and steal credit and debit card data; and then sent that data to computer servers they operated in California, Illinois, Latvia, the Netherlands and Ukraine. The indictment also alleges Gonzalez and his co-conspirators also used sophisticated hacker techniques to cover their tracks and to avoid detection by anti-virus software used by their victims."

Remarks by Secretary Napolitano at the Global Cyber Security Conference, August 4, 2009: "We have to look at the landscape now; but, more important, we have to—I think—acknowledge amongst ourselves that in terms of cybersecurity we've been living in a cyber 1.0 world and we need to be cyber 3.0 and beyond. Because the minute we start talking about a particular methodology of cyber the cyber bad guys are already moving ahead. This is a very, very rapidly evolving environment in which real crime and real damage can occur."

News release: "The Federal Trade Commission testified today before the U.S. Senate on its efforts to combat deceptive advertising in the face of rapid changes in health care, technology, and online marketing strategies. In testimony before the Senate Committee on Commerce, Science, and Transportation’s Subcommittee on Consumer Protection, Product Safety, and Insurance, David Vladeck, Director of the FTC’s Bureau of Consumer Protection, described the Commission’s recent law enforcement and regulatory efforts addressing deceptive advertising."

News release: Javelin Strategy & Research released its Fifth Annual Card Issuers’ Identity Safety Scorecard, which analyzes the top 25 U.S. card issuers’ capabilities for protecting customers from identity fraud. To compile the report, Javelin incorporated data from annual household, consumer, and issuer surveys using Javelin’s Prevention, Detection and Resolution™ criteria to accurately reflect customer demands and trends in how issuers protect against fraud. The Javelin scorecard is a structured assessment of each issuer’s fraud protection services. The scorecard ranks features that best empower two major victims of the nation’s $48B identity fraud problem—cardholders and issuers—showing how to turn the tables on a worrying method of crime."

News release: "The Federal Trade Commission testified before the U.S. Senate today on the agency’s campaign to crack down on scammers who are trying to take advantage of the economic downturn to push a variety of scams, such as phony job-placement and debt-reduction services, get-rich-quick schemes, and bogus government grants...In response to the rise in financial distress scams, on July 1, 2009, the Commission announced “Operation Short Change,” a joint initiative with 14 states, the Department of Justice, and other agencies that included more than 120 law enforcement actions."

PBS.org FRONTLINE - Ghana, Digital Dumping Ground: "When containers of old computers first began arriving in West Africa a few years ago, Ghanaians welcomed what they thought were donations to help bridge the digital divide. But soon exporters learned to exploit the loopholes by labeling junk computers "donations"...[What is on the hard drives from this junk PCs'?] There is private financial data...credit card numbers, account information, records of online transactions the original owners may not have realized were even there. Ghana is listed by the U.S. State Department as one of the top sources of cyber crime in the world. And it's not just individuals who are exposed. One of the drives the team has purchased contains a $22 million government contract. It turns out the drive came from Northrop Grumman, one of America's largest military contractors. And it contains details about sensitive, multi-million dollar U.S. government contracts. They also find contracts with the defense intelligence agency, NASA, even Homeland Security."

News release: "The Federal Trade Commission today announced a law enforcement crackdown on scammers trying to take advantage of the economic downturn to bilk vulnerable consumers through a variety of schemes, such as promising non-existent jobs; promoting overhyped get-rich-quick plans, bogus government grants, and phony debt-reduction services; or putting unauthorized charges on consumers’ credit or debit cards. Dubbed “Operation Short Change,” the law enforcement sweep announced today includes 15 FTC cases, 44 law enforcement actions by the Department of Justice, and actions by at least 13 states and the District of Columbia."

U.S. Department of Education, Office of Inspector General, Information Technology Audits Division - Incident Handling and Privacy Act Controls over External Web Sites, Final Audit Report, Redacted, ED-OIG/A11I0006, June 10, 2009.

"Corporate websites generally offer more innovative features than public-sector sites, largely because the private sector spends about a third more on websites, according to a Brookings Institution study, Comparing Technology Innovation in the Private and Public Sectors. The study, released in mid-June, compares the websites of leading U.S. corporations with state and national governments, grades their overall performance, and examines nearly two dozen features of digital innovation.

Using a 100-point scale, the study report concludes that corporations have the most innovative websites (65 points) and are trailed as a group by state government (54) and federal government (51). The top-rated site in the federal government category, USA.gov (92), equaled the score for the top-rated corporate site, WellsFargo.com. Other top-rated federal sites were USDA.gov, GSA.gov, USPS.com, IRS.gov, and ED.gov. Delaware.gov (83.7) was the top-rated state site, followed by the official websites of Georgia, Florida, California, Massachusetts and Maine. The report also revealed that public websites provide more security and are better at protecting privacy. Although federal government websites were the most accessible to users with disabilities, 75% percent of its websites were not completely accessible."

WSJ: "Defense Secretary Robert Gates created a new military command dedicated to cyber security on Tuesday, reflecting the Obama administration's plans to centralize and elevate computer security as a major national-security issue. In a memo to senior Pentagon officials, Mr. Gates said he intends to recommend that Lt. Gen. Keith Alexander, director of the National Security Agency, take on the additional role as commander of the Cyber Command with the rank of a four-star general."

• Broadcasting to Cuba: Observations Regarding TV Marti's Strategy and Operations, GAO-09-758T, June 17, 2009
• Identity Theft: Governments Have Acted to Protect Personally Identifiable Information, but Vulnerabilities Remain, GAO-09-759T, June 17, 2009
• Polar-Orbiting Environmental Satellites: With Costs Increasing and Data Continuity at Risk, Improvements Needed in Tri-agency Decision Making, GAO-09-564, June 17, 2009
• Polar-Orbiting Satellites: With Costs Increasing and Data Continuity at Risk, Improvements Needed in Tri-agency Decision Making, http://www.gao.gov/new.items/d09772t.pdf, June 17, 2009
• Telecommunications: Preliminary Observations about Consumer Satisfaction and Problems with Wireless Phone Service and FCC's Efforts to Assist Consumers with Complaints, GAO-09-800T, June 17, 2009
• Troubled Asset Relief Program: June 2009 Status of Efforts to Address Transparency and Accountability Issues, GAO-09-658, June 17, 2009
• American Battle Monuments Commission: Management Action Needed to Improve Internal Control Procedures, GAO-09-714R, June 17, 2008

2009 Trust, Security & Passwords Survey Research Brief: "This global "snooping" survey is the third in a series of benchmark studies focused on identifying security and privacy trends among IT workers. Results are intended to raise awareness about the risks associated with powerful, and often unmanaged, privileged users and passwords. While seemingly innocuous, these accounts provide workers with "keys to the kingdom," allowing them to access critically sensitive information, no matter where it resides."

News release: "Six federal agencies issued a set of frequently asked questions (FAQs) today to help financial institutions, creditors, users of consumer reports, and issuers of credit cards and debit cards comply with federal regulations on identity theft and discrepancies in changes of address. The “Red Flags and Address Discrepancy Rules,” which implement sections of the Fair and Accurate Credit Transactions Act of 2003, were issued jointly on November 9, 2007, by the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), and Federal Trade Commission (FTC)."

OIG-09-66 - DHS' Progress in Addressing Technical Security Challenges at Washington Dulles International Airport (Redacted), May 2009

News release: "A rogue Internet Service Provider that recruits, knowingly hosts, and actively participates in the distribution of spam, child pornography, and other harmful electronic content has been shut down by a district court judge at the request of the Federal Trade Commission. The ISP’s upstream providers and data centers have disconnected its servers from the Internet."

White House: Securing Our Digital Future, Melissa Hathaway, Cybersecurity Chief at the National Security Council, discusses securing our nation's digital future.

• Defense Management: Observations on DOD's Analysis of Options for Improving Corrosion Prevention and Control through Earlier Planning in the Requirements and Acquisition Processes, GAO-09-694R, May 29, 2009
• Federal Reserve Banks: Areas for Improvement in Information Security Controls, GAO-09-722R, May 29, 2009
• Financial Audit: Senate Restaurants Revolving Fund for Fiscal Years 2008 and 2007, GAO-09-409, May 29, 2009
• Sponsored Noncitizens and Public Benefits: More Clarity in Federal Guidance and Better Access to Federal Information Could Improve Implementation of Income Eligibility Rules, GAO-09-375, May 19, 2009
• National Preparedness: FEMA Has Made Progress, but Needs to Complete and Integrate Planning, Exercise, and Assessment Efforts, GAO-09-369, May 07, 2009

"NIST announces that its working definition of cloud computing is available. Researchers worked in collaboration with industry and government to draft the definition that serves as a foundation for its research and future publication on the topic. Cloud computing is a pay-per-use model for enabling available, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. Researchers are studying cloud architectures, economics, security and deployment strategies for the federal government."

News release: " The Online Trust Alliance (OTA) gave leading government agencies and online retailers a failing grade in preventing deceptive email and phishing scams based on its newly released analysis of email authentication adoption. While adoption has grown over the past year, OTA found approximately 56 percent of the top .gov sites – including Whitehouse.gov, FBI.gov, Treasury.gov and DHS.gov – still are not protecting U.S. citizens through the use of email authentication. At the same time, progress has been made by other government agencies including the Census Bureau, CIA, FDIC, VA and FTC."

• Top 25 Government Domains Report Card
  
• Internet Retailer 300 Report Card
  
• OTA email authentication resources

News release: "...the Online Trust Alliance (OTA) released its 2009 draft Online Trust Principles for public comment. The Principles are a major step toward establishing business practices that afford greater consumer online protection and the long term vitality of online commence and interactive marketing."

Review of Web Applications Security and Intrusion Detection in Air Traffic Control Systems, May 04, 2009

• Information Security: Cyber Threats and Vulnerabilities Place Federal Systems at Risk, GAO-09-661T, May 5, 2009: "Cyber threats to federal information systems and cyber-based critical infrastructures are evolving and growing. These threats can be unintentional and intentional, targeted or nontargeted, and can come from a variety of sources, such as foreign nations engaged in espionage and information warfare, criminals, hackers, virus writers, and disgruntled employees and contractors working within an organization. Moreover, these groups and individuals have a variety of attack techniques at their disposal, and cyber exploitation activity has grown more sophisticated, more targeted, and more serious. As government, private sector, and personal activities continue to move to networked operations, as digital systems add ever more capabilities, as wireless systems become more ubiquitous, and as the design, manufacture, and service of information technology have moved overseas, the threat will continue to grow."
• Recovery Act: GAO's Efforts to Work with the Accountability Community to Help Ensure Effective and Efficient Oversight, GAO-09-672T, May 5, 2009: "GAO is carrying out its responsibilities to review the uses of Recovery Act funds and will also target certain areas for additional review using a riskbased approach. GAO’s first bimonthly report examined the steps 16 states, the District of Columbia, and selected localities are taking to use and oversee Recovery Act funds. These states contain about 65 percent of the U.S. population and are estimated to receive about two-thirds of the intergovernmental grant funds available through the Recovery Act. GAO’s report made several recommendations to the Office of Management and Budget (OMB) toward improving accountability and transparency requirements; clarifying the Recovery Act funds that can be used to support state efforts to ensure accountability and oversight; and improving communications with Recovery Act funds recipients."
• Related postings on financial system

"The Symantec Internet Security Threat Report offers analysis and discussion of threat activity over a one-year period. It covers Internet threat activities, vulnerabilities, malicious code, phishing, spam and security risks as well as future trends. The fourteenth version of the report, released April 14, 2009, is now available."

• Via FAS: Unclassified - Rightwing Extremism: Current Economic and Political Climate Fueling Resurgence in Radicalization and Recruitment, 7 April 2009. Prepared by the Extremism and Radicalization Branch, Homeland Environment Threat Analysis Division. Coordinated with the FBI.
• Via FOXNews: Unclassified - Leftwing Extremists Likely to Increase Use of Cyber Attacks over the Coming Decade, 26 January 2009, (U) Prepared by the Strategic Analysis Group, Homeland Environment and Threat Analysis Division.

"Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials...But protecting the electrical grid and other infrastructure is a key part of the Obama administration's cybersecurity review, which is to be completed next week. Under the Bush administration, Congress approved $17 billion in secret funds to protect government networks, according to people familiar with the budget. The Obama administration is weighing whether to expand the program to address vulnerabilities in private computer networks, which would cost billions of dollars more. A senior Pentagon official said Tuesday the Pentagon has spent $100 million in the past six months repairing cyber damage."

National Academies Press, prepublication: Sustainable Critical Infrastructure Systems: A Framework for Meeting 21st Century Imperatives, 2009.

Follow up to April 5, 2009 posting Senate Staff Working Draft of Cybersecurity Act of 2009, see this related CRS report: Comprehensive National Cybersecurity Initiative (CNCI): Legal Authorities and Policy Considerations, March 10, 2009

CDT: "A cybersecurity bill introduced April 01, 2009 in the Senate would give the federal government extraordinary power over private sector Internet services, applications and software. The Cybersecurity Act of 2009 would, for example, give the President unfettered power to shut down Internet traffic in emergencies or disconnect any critical infrastructure system or network on national security grounds. The bill would grant the Commerce Department the ability to override all privacy laws to access any information about Internet usage in connection with a new role in tracking cybersecurity threats. The bill, introduced by Sens. John Rockefeller and Olympia Snowe, would also give the government unprecedented control over computer software and Internet services, threatening innovation, freedom and privacy. CDT President and CEO Leslie Harris said, "The cybersecurity threat is real, but such a drastic federal intervention in private communications technology and networks could harm both security and privacy."

"In December 2003, the Internet Fraud Complaint Center (IFCC) was renamed the Internet Crime Complaint Center (IC3) to better reflect the broad character of such criminal matters having a cyber (Internet) nexus. The 2008 Internet Crime Report is the eighth annual compilation of information on complaints received and referred by the IC3 to law enforcement or regulatory agencies for appropriate action. From January 1, 2008 – December 31, 2008, the IC3 website received 275,284 complaint submissions. This is a (33.1%) increase when compared to 2007 when 206,884 complaints were received. These filings were composed of complaints primarily related to fraudulent and non-fraudulent issues on the Internet."

WSJ: "The government's coordinator for cybersecurity programs has quit, criticizing what he described as the National Security Agency's grip on cybersecurity. Rod Beckstrom, a former Silicon Valley entrepreneur, said in his resignation letter that the NSA's central role in cybersecurity is "a bad strategy" because it is important to have a civilian agency taking a key role in the issue. The NSA is part of the Department of Defense."

"The Federal Trade Commission released the list of top consumer complaints received by the agency in 2008. The list, contained in the publication Consumer Sentinel Network Data Book for January-December 2008, showed that for the ninth year in a row, identity theft was the number one consumer complaint category. Of 1,223,370 complaints received in 2008, 313,982 – or 26 percent – were related to identity theft."

Data Loss Risks During Downsizing As Employees Exit, so does Corporate Data, February 23, 2009

News release: "President Obama has directed the National Security and Homeland Security Advisors to conduct an immediate review of the plan, programs, and activities underway throughout the government dedicated to cyber security. This 60-day interagency review will develop a strategic framework to ensure that U.S. Government cyber security initiatives are appropriately integrated, resourced and coordinated with Congress and the private sector. "The national security and economic health of the United States depend on the security, stability, and integrity of our Nation’s cyberspace, both in the public and private sectors. The President is confident that we can protect our nation’s critical cyber infrastructure while at the same time adhering to the rule of law and safeguarding privacy rights and civil liberties," said Assistant to the President for Counterterrorism and Homeland Security John Brennan. Melissa Hathaway, who has served as Cyber coordination Executive to the Director of National Intelligence, will lead the review and will serve as Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils during the review period."

News release: "...experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime. Shockingly, most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale. The impact of these errors is far reaching. Just two of them led to more than 1.5 million web site security breaches during 2008 - and those breaches cascaded onto the computers of people who visited those web sites, turning their computers into zombies."

The Top 25 Errors are listed below in three categories:

• Category: Insecure Interaction Between Components (9 errors)
  
• Category: Risky Resource Management (9 errors)
  
• Category: Porous Defenses (7 errors)

"The Global state of information security survey 2008 is a worldwide security survey by PricewaterhouseCoopers, CIO Magazine and CSO Magazine. It was conducted online from March 25 to June 26, 2008. Readers of CIO and CSO Magazines and clients of PricewaterhouseCoopers from around the globe were invited via email to take the survey. The results discussed in this report are based on the responses of more than 7,000 CEOs, CFOs, CIOs, CSOs, vice presidents and directors of IT and information security from 119 countries. Thirty-nine percent (39%) of respondents were from North America, twenty-seven percent (27%) from Europe, seventeen percent (17%) from Asia, fifteen percent (15%) from South America, and two percent (2%) from the Middle East and South Africa."

News release: "Reports of data breaches increased dramatically in 2008. The Identity Theft Resource Center's 2008 breach report reached 656 reported breaches at the end of 2008, reflecting an increase of 47% over last year’s total of 446. In terms of sub-divisions by type of entity, the rankings have not changed between 2007 and 2008 within the five groups that ITRC monitors. The financial, banking and credit industries have remained the most proactive groups in terms of data protection over all three years. The Government/Military category has dropped nearly 50% since 2006, moving from the highest number of breaches to the third highest."

"Thirty privacy, consumer, and civil liberties organizations sent a letter to President-elect Barack Obama on the importance of protecting privacy in the next administration. The organizations support the incoming president’s expressed on privacy, consumer rights, and civil liberties. President-elect Obama stated support for strengthening of privacy protection by harnessing the power of technology to hold government and businesses accountable for violations of personal privacy. The coalition said that “[t]here is a clear need to address the spiraling problems of identity theft, security breaches, and the commercialization of personal information.” For more information visit EPIC’s A-Z Privacy Page."

News release: "The Federal Trade Commission issued a report today recommending five measures to help prevent Social Security numbers from being used for identity theft. Principal among the report’s recommendations is that Congress consider taking action to strengthen the procedures that private-sector organizations use to authenticate their customers’ identities...The FTC report states that adopting nationwide standards for how businesses and other organizations verify the identity of new and existing customers would make it harder for identity thieves to use SSNs and other stolen information to consummate their fraud...The FTC report also recommends that steps be taken to reduce the unnecessary display and transmission of SSNs, but noted that such restrictions must be approached carefully. A number of important functions in the U.S. economy depend on use of and access to SSNs, and the report concluded that overly restrictive attempts to limit the availability of SSNs could unintentionally curtail those functions. Finally, the report recommends steps to improve data security, increase outreach to consumers and businesses on the protection of SSNs, and enhance coordination and information-sharing among organizations that routinely use SSNs."

"The Center for Strategic and International Studies (CSIS) Commission on Cybersecurity for the 44th Presidency has released its final report, Securing Cyberspace for the 44th Presidency. The Commission’s three major findings are: cybersecurity is now one of the major national security problems facing the United States; decisions and actions must respect American values related to privacy and civil liberties; and only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will improve the situation."

From the ICC Commercial Crime Services (CCS) - "the anti-crime arm of the International Chamber of Commerce": Live Piracy Map 2008 - "This map shows all the piracy incidents reported by the IMB Piracy Centre in Kuala Lumpur during 2008. Please click on the pins for more details of the specific incident or zoom in for more accurate location information."

Online Threats to Youth: Solicitation, Harassment, and Problematic Content, Literature Review by the Research Advisory Board of the Internet Safety Technical Task Force, Andrew Schrock and Danah Boyd, Berkman Center for Internet & Society, Harvard University, Draft Version. November 14, 2008

Worldwide Infrastructure Security Report, Volume III: "Arbor Networks®, Inc., in cooperation with the Internet security operations community, has completed the third edition of an ongoing series of annual operational security surveys. This survey, covering a 12-month period from July 2006 through June 2007, is designed to provide data useful to network operators so that they can make informed decisions about their use of network security technology to protect their mission-critical infrastructures. It is also meant to serve as a general resource for the Internet operations and engineering community, recording information on trends and employment of various infrastructure security techniques."

Spamalytics: An Empirical Analysis of Spam Marketing Conversion, October 2008 - Chris Kanich, Christian Kreibich, Kirill Levchenko, Brandon Enright, Geoffrey M. Voelker, Vern Paxson† Stefan Savage

News release: "The total number of breaches in on the Identity Theft Resource Center’s 2008 breach list surpassed the final total of 446 reported in 2007, more than 4 months before the end of 2008. As of 9:30 a.m. August 22nd, the number of confirmed data breaches in 2008 stood at 449. The actual number of breaches is most likely higher, due to under-reporting and the fact that some of the breaches reported, which affect multiple businesses, are listed as single events. In the last few months, two subcontractors became examples of these “multiple” events. In one case, the customers and/or employees of at least 20 entities were affected by a breach that the ITRC reported as a single breach event."

Office of Science and Technology Policy (OSTP) in the Executive Office of the President - Identity Management Task Force Report 2008, released September 2008

News release: "Attorney General Michael B. Mukasey and Federal Trade Commission Chairman William E. Kovacic announced today the release of a report from the President’s Identity Theft Task Force on progress the federal government has made in addressing identity theft since the Task Force’s Strategic Plan was released last year. Highlights of the report include expansion of the Task Force’s data security and identity theft business and consumer education campaigns; exploring means of improving consumer authentication processes to prevent the use of stolen information to commit identity theft; launching new initiatives to help identity theft victims recover; and improving law enforcement tools to investigate and prosecute identity thieves."

FOX News: "The World Bank Group's computer network — one of the largest repositories of sensitive data about the economies of every nation — has been raided repeatedly by outsiders for more than a year, FOX News has learned. It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution's highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank's network for nearly a month in June and July. In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month.

In a frantic midnight e-mail to colleagues, the bank's senior technology manager referred to the situation as an "unprecedented crisis." In fact, it may be the worst security breach ever at a global financial institution. And it has left bank officials scrambling to try to understand the nature of the year-long cyber-assault, while also trying to keep the news from leaking to the public."

News release: "Online scammers are taking advantage of tough economic times. While e-mails phishing for sensitive data are nothing new, scammers are taking advantage of upheavals in the financial marketplace to confuse consumers into parting with valuable personal information. The Federal Trade Commission urges caution regarding e-mails that look as if they come from a financial institution that recently acquired a consumer’s bank, savings and loan, or mortgage. In fact, these messages may be from “phishers” looking to use personal information – account numbers, passwords, Social Security numbers – to run up bills or commit other crimes in a consumer’s name. Consumers are warned not to take the bait. The FTC has advice about how to stay on guard against this type of scam. To learn more, see the consumer alert Bank Failures, Mergers and Takeovers: A ‘Phish-erman’s Special.

• OIG-08-94 - Evaluation of DHS' Information Security Program for Fiscal Year 2008 (PDF, 43 pages)
• EPA OIG, 08-P-0280, Fiscal Year 2008 Federal Information Security Management Act Report [Report PDF], September 26, 2008

News release: "The Federal Trade Commission’s Web site that helps consumers stay on guard against Internet fraud is revamping to provide extra tools for cyber safety. The FTC’s announcement of the newly designed and improved site comes on the first day of October, which is National Cyber Security Awareness Month. Since the September 2005 launch of www.OnGuardOnline.gov and its Spanish-language counterpart, www.AlertaEnLínea.gov, more than 8.1 million visitors have learned about computer security at these sites. Now, with the help of 22 federal agencies, industry organizations, and non-profit groups, the FTC has introduced a variety of new features to help consumers avoid Internet fraud, secure their computers, and protect their personal information...The articles, games, and videos on the site provide information on 16 topics, including social networking, phishing, spam scams, and laptop security."

The Federal Energy Regulatory Commission's Unclassified Cyber Security Program - 2008, DOE/IG-0802 September 2008

Cybercrime against Businesses, 2005: "Presents the nature and prevalence of computer security incidents among 7,818 businesses in 2005. This is the first report to provide data on monetary loss and system downtime resulting from cyber incidents. It examines details on types of offenders, reporting of incidents to law enforcement, reasons for not reporting incidents, types of systems affected, and the most common security vulnerabilities. The report also compares in-house security to outsourced security in terms of prevalence of cyber attacks. Appendix tables include industry-level findings."

• Cyber Analysis and Warning: DHS Faces Challenges in Establishing a Comprehensive National Capability, GAO-08-588, July 31, 2008
• Critical Infrastructure Protection: DHS Needs to Better Address Its Cybersecurity Responsibilities, GAO-08-1157T, September 16, 2008
• Critical Infrastructure Protection: DHS Needs to Fully Address Lessons Learned from Its First Cyber Storm Exercise, GAO-08-825, September 09, 2008
• Environmental Health: EPA Efforts to Address Children's Health Issues Need Greater Focus, Direction, and Top-Level Commitment, GAO-08-1155T, September 16, 2008
• Information Technology: Federal Laws, Regulations, and Mandatory Standards to Securing Private Sector Information Technology Systems and Data in Critical Infrastructure Sectors, GAO-08-1075R, September 16, 2008
• Elections: Federal Program for Certifying Voting Systems Needs to Be Further Defined, Fully Implemented, and Expanded, GAO-08-814, September 16, 2008
• Diversity Management: Important Actions Taken and Planned to Further Enhance Diversity, GAO-08-1160T, September 16, 2008
• Digital Television Transition: Information on the Implementation of the Converter Box Subsidy Program and Consumer Participation in the Program, GAO-08-1161T, September 16, 2008
• Diversity at GAO: Sustained Attention Needed to Build on Gains in SES and Managers, GAO-08-1156T, September 16, 2008
• Diversity at GAO: Sustained Attention Needed to Build on Gains in SES and Managers, GAO-08-1098, September 10, 2008

News release: "...today's topic is going to cover a different kind of vulnerability, not the vulnerability to identity but the vulnerability to the physical world in which we operate. That is our critical infrastructure. And I want in particular to talk about how these vulnerabilities look to me as we enter the 21st century, and what we have to do to reduce the risk to our critical infrastructure in the years to come."

Cyber Security Tip ST05-018 - Understanding Voice over Internet Protocol (VoIP): "Because VoIP relies on your internet connection, it may be vulnerable to any threats and problems that face your computer. The technology is still new, so there is some controversy about the potential for attack, but VoIP could make your telephone vulnerable to viruses and other malicious code. Attackers may be able to perform activities such as intercepting your communications, eavesdropping, conducting effective phishing attacks by manipulating your caller ID, and causing your service to crash. Activities that consume a large amount of network resources, like large file downloads, online gaming, and streaming multimedia, will also affect your VoIP service."

Threats to Internet Routing and Global Connectivity, 20th Annual FIRST Conference, Vancouver, British Columbia Canada, June 2008 (69 page presentation) includes discussion of the following topics:

• Physical problems (Physical Infrastructure: Natural, accidental or intentional destruction)
  Earthquakes, Anchors/Backhoes, Hurricanes
• Routing Vulnerabilities (Logical Infrastructure: if routers cannot direct traffic appropriately, the Internet is broken.)
  Misconfigurations, hijacks, attacks
• Business Conflicts (Competitors might not want to exchange traffic.)
  De-peerings
Permanent Link

News release: "Today, the total number of breaches in on the Identity Theft Resource Center’s (ITRC) 2008 breach list surpassed the final total of 446 reported in 2007, more than 4 months before the end of 2008. As of 9:30 a.m. August 22nd, the number of confirmed data breaches in 2008 stood at 449. The actual number of breaches is most likely higher, due to under-reporting and the fact that some of the breaches reported, which affect multiple businesses, are listed as single events. In the last few months, two subcontractors became examples of these “multiple” events. In one case, the customers and/or employees of at least 20 entities were affected by a breach that the ITRC reported as a single breach event....Breaches: 449 Exposed: 22,091,338."

• ITRC 2008 Breach List
  
• 2008 ITRC Breach report
  
• 2008 ITRC Breach Stats Report broken down by categories which includes the percentages for each category (business, financial/credit, educational, governmental/military and health care).

News release: "Secretary Chertoff spoke on the balance between privacy and secure identity August 13 at the University of Southern California National Center for Risk and Economic Analysis of Terrorism Events. He addressed crimes involving identity theft, and talked about identity validation and authentication, the associated financial costs, the effect on illegal workers, the universe of tools available for identity management, and possible solutions that address the concerns of privacy advocates."

News release: "State attorneys general received thousands of consumer complaints of online fraud and abuse in 2006 and 2007 and yet, with the exception of several notable standouts, brought few significant cases in response, according to a report released today from the Center for American Progress and the Center for Democracy and Technology, Online Consumers at Risk and the Role of State Attorneys General."

Official Google Enterprise Blog: "In July, our Postini datacenters saw the biggest volume of email virus attacks so far in 2008, with a peak of nearly 10 million messages on July 24. One of the more prominent attacks in the month involved a spoofed UPS package-tracking link that was intended to lure recipients into clicking on it and downloading malware. Our zero-hour virus protection technology first started catching these emails on July 20."

M-08-21, FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (July 14, 2008) (43 pages)

"Agencies should also submit their most current documentation related to OMB Memorandum M-07-16, of May 22, 2007, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, This information should be provided in an appendix to your annual report and include the following items for your agency:

• Breach notification policy
  
• Implementation plan and progress update on eliminating unnecessary use of Social Security Numbers (SSN);
  
• Implementation plan and progress update on review and reduction of holdings of personally identifiable information (PII); and
  
• Policy outlining rules of behavior and identifying consequences and corrective actions available for failure to follow these rules."

News release: "The Federal Trade Commission today released a staff report on a Roundtable Discussion on Phishing Education that it hosted in April. Approximately 60 experts from business, government, the technology sector, the consumer advocacy community, and academia met at the FTC to discuss strategies for outreach to consumers about avoiding phishing. Phishers use deceptive spam that appears to come from legitimate, well-known sources to trick consumers into divulging sensitive or personal information, such as credit account numbers or passwords, often through a link to a copycat of the purported source’s Web site."

Federal Trade Commission: "Financial institutions and creditors are now required to develop and implement written identity theft prevention programs under the new Red Flags Rules.

The Red Flags Rules are part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. Under these Rules, financial institutions and creditors with covered accounts must have identity theft prevention programs in place by November 1, 2008, to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.

The Commission staff is launching an outreach effort to explain the Rules in greater detail. It has now published a general alert on what the Rules require, and, in particular, an explanation of which businesses - financial institutions and creditors - are covered by the Rules."

News release: "The Federal Trade Commission plans to study the experiences of identity theft victims by conducting a survey of consumers who contacted the FTC after they were victimized. The proposed survey will examine the remedies available to victims under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Among other things, the FACT Act gave consumers the right to place fraud alerts on their credit files if they are, or suspect they may become, victims of identity theft; block information on their credit reports that resulted from identity theft; and obtain copies of their credit reports free of charge. The survey will seek information from identity theft victims who contacted the FTC between January 1 and May 30, 2008, and will inquire about their experiences when they contacted one or more credit reporting agencies and when they sought to use their FACT Act rights. The survey results will help guide the FTC’s efforts to enforce the law and educate consumers and the consumer reporting industry about their rights and duties."

News release: "The ITRC Breach Report total has reached an all-time high. Between January 1st and June 27th, the total number of data breaches recorded by the ITRC is 342, more than 69% greater than the same time period in 2007. The actual number of breaches is likely even higher, due to underreporting and the fact that some of the breaches reported as a single event actually affected multiple businesses.

The ITRC Breach Report sub-divides all breaches into five categories. To date, the 2008 ITRC Breach Stats Report indicates the following: 17.0% government/military agencies, 21.3% from educational institutions, 36.8% from general businesses, 14.9% from health care facilities / companies, and 10% from banking / credit / financial services entities.

Click here for the 2008 ITRC Breach report. Click here for the 2008 ITRC Breach Stats Report broken down by categories which includes the percentages for each category (business, financial/credit, educational, governmental/military and health care). Please check regularly as this list is updated weekly.

• Afghanistan Security: Further Congressional Action May Be Needed to Ensure Completion of a Detailed Plan to Develop and Sustain Capable Afghan National Security Forces, GAO-08-661, June 18, 2008
• Afghanistan Security: U.S. Efforts to Develop Capable Afghan Police Forces Face Challenges and Need a Coordinated, Detailed Plan to Help Ensure Accountability, GAO-08-883T, June 18, 2008
• Architect of the Capitol: Progress in Improving Energy Efficiency and Options for Decreasing Greenhouse Gas Emissions, GAO-08-917T, June 18, 2008
• Financial Audit: Material Weaknesses in Internal Control over the Processes Used to Prepare the Consolidated Financial Statements of the U.S. Government, GAO-08-748, June 17, 2008
• Homeland Security: The Federal Protective Service Faces Several Challenges That Hamper Its Ability to Protect Federal Facilities, GAO-08-683, June 11, 2008
• Homeland Security: The Federal Protective Service Faces Several Challenges That Raise Concerns About Protection of Federal Facilities, GAO-08-914T, June 18, 2008
• Privacy: Agencies Should Ensure That Designated Senior Officials Have Oversight of Key Functions, GAO-08-603, May 30, 2008
• Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information, GAO-08-536, April 19, 2008
• Privacy: Congress Should Consider Alternatives for Strengthening Protection of Personally Indentifiable Information, GAO-08-795T, June 18, 2008

A Guide to Protecting Your Identity Online, Rosemary Haworth, PC Advisor

Identity Theft: The Aftermath 2007. Conducted by the Identity Theft Resource Center® (ITRC) With comparisons to The Aftermath 2003, 2004, 2005, 2006 Surveys.

News release: "The Federal Trade Commission...told the Senate Committee on Commerce, Science, and Transportation that “legislation authorizing the Commission to seek civil penalties in spyware cases could add a potent remedy to those otherwise available to the Commission.” In testimony to the Committee, Eileen Harrington, Deputy Director of the FTC’s Bureau of Consumer Protection, said that when other enforcement options – seeking consumer redress or making the operators give up their ill-gotten gains – are not appropriate or sufficient remedies to deter spyware distributors, “a civil penalty may be the most appropriate remedy and serve as a strong deterrent.” The testimony states that the agency supports legislation that would provide “the Commission this valuable law enforcement tool.”

OIG: The Social Security Administration's Internal Use of Employees' Social Security Numbers. A-13-07-27164 06/09/08

Do Data Breach Disclosure Laws Reduce Identity Theft? Sasha Romanosky, Rahul Telang, Alessandro Acquisti, Heinz School of Public Policy and Management, Carnegie Mellon University

Akamai, 1st Quarter 2008 - The State of the Internet Report.

"During the first quarter, Akamai observed attack traffic originating from 125 unique countries around the world. China and the United States were the two largest attack traffic sources, accounting for some 30% of this traffic in total. Akamai observed attack traffic targeted at 23 unique network ports. Many of the ports that saw the highest levels of attack traffic were targeted by worms, viruses, and bots that spread across the Internet several years ago. A number of major network “events” occurred during the first quarter that impacted millions of Internet users. Cable cuts in the Mediterranean Sea severed Internet connectivity between the Middle East and Europe, drastically slowing communications. Cogent’s de-peering of Telia
impacted Internet communications for selected Internet users in the United States and Europe for a two-week period. A routing change by Pakistan Telecom that spread across the Internet essentially took YouTube, a popular Internet video sharing site, offline for several hours.

Via Google Blogoscoped, "Google [has a] malware diagnosis service; just append any domain – your domain or another site you want to check on – to the end of the URL google.com/safebrowsing/diagnostic?site=, or paste a domain in the box below, and you will find an overview page listing potential problems like trojans or exploits (or the result may be telling you the site is OK)."

Chairman Kelliher testified before the House Homeland Security Committee, Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology on Implications of Cyber Vulnerabilities on the Resiliency and Security of the Electric Grid

Yahoo Search Blog: "Today, we're announcing the beta release of SearchScan, a new feature from Yahoo! Search that helps protect users from viruses, spyware and spam. We've heard from users that security and privacy continue to be major concerns when they are online. We've also learned that solutions that require downloads and constant updating are less than ideal. To tackle the problem, we partnered with McAfee to build a feature that provides a safer and hassle-free search experience to all users...How does it work? SearchScan leverages McAfee's SiteAdvisor technology to alert users if risky websites appear in Yahoo! Search results. Starting today, SearchScan will be turned on by default for all users in the U.S., Canada, UK, France, Italy, Germany, Australia, New Zealand, and Spain..."

European Digital Rights: "The European Ministers of Justice and Internal Affairs have agreed to make publishing bomb-making instructions on the Internet a crime...Justice and interior ministers from the EU member states backed a proposal from Commissioner Frattini to harmonise the normative acts that will make the "public provocation to commit a terrorist offence, recruitment, and training for terrorism" a crime. According to the statements of the EU officials publishing these acts on the Internet completed the European legislation in this domain. They described the Internet as "a virtual training camp for militants, used to inspire and mobilise local groups." Gilles de Kerchove, the EU anti-terrorism co-ordinator, declared that there are approx. 5,000 websites that are used to radicalise young people."

• Council of Europe: Why terrorism? Addressing the Conditions Conducive to the Spread of Terrorism, Strasbourg, 25-26 April 2007, Conclusions
  
• EU Project on Cybercrime: Guidelines for the cooperation between law enforcement and internet providers against cybercrime, April 2, 2008 (provisional)

EPIC: "The International Working Group On Data Protection in Telecommunications has released a report and guidance (pdf) on privacy in social networking services. The report identifies risks to privacy and security, and provides guidance to regulators, service operators and users to counter these risks. Risks include the large amount of data collection; the misuse of profile data by third parties; insecure infrastructure and application programming interfaces. Regulators should ensure openness, and oblige data breach notification. Providers must be transparent; live up to promises made to users; and use privacy friendly defaults. Privacy and consumer groups are also
recommended to raise the awareness of regulators, providers and the general public."

The Inspectors General, Journal of Public Inquiry Fall/Winter 2007/08 (96 pages, PDF)

Inadequate Security Controls Over Routers and Switches Jeopardize Sensitive Taxpayer Information, March 26, 2008. Reference Number: 2008-20-071

News release: "According to the 2007 Internet Crime Report, the Internet Crime Complaint Center (IC3) received 206,884 complaints of crimes perpetrated over the Internet during 2007. Of the complaints received, more than 90,000 were referred to law enforcement around the nation, amounting to nearly $240 million in reported losses. This represents a $40 million increase in reported losses from complaints referred to law enforcement in 2006. All complaints received by IC3 are accessible to federal, state, and local law enforcement to support active investigations, trend analysis, and public outreach and awareness efforts."

News release: "The Federal Trade Commission has released three 60-second videos to help alert consumers to phishing scams. Phishing uses deceptive spam to trick consumers into divulging sensitive or personal information, including credit card numbers and other financial data, through an email or a link to a “copycat” site. The goal of the videos is to offer practical, useful, and memorable messages. The videos are the newest tool on OnGuardOnline.gov, the agency’s multimedia initiative to help consumers be on guard against Internet fraud, secure their computers, and protect their personal information. The award-winning site features tips, articles, how-to videos, interactive quizzes, and tutorials in English and Spanish. The new videos also will be featured on YouTube and on the FTC Web site here."

Cybercrime Legislation - Country profiles: "These profiles have been prepared within the framework of the Council of Europe’s Project on Cybercrime in view of sharing information on cybercrime legislation and assessing the current state of implementation of the Convention on Cybercrime under national legislation. They do not necessarily reflect official positions of the countries covered or of the Council of Europe."

News release: "In the FTC’s action against data brokers Reed Elsevier (REI) and Seisint, the complaint alleges that REI - through its LexisNexis data broker business - and Seisint collect and store in databases information about millions of consumers, including names, current and prior addresses, dates of birth, drivers license numbers and Social Security numbers. They obtain information about consumers from credit reporting agencies and other sources, and sell products customers use online to find and retrieve the information from their databases. The companies relied on user IDs and passwords (or “user credentials”) to control customer access to consumer information in their databases."

"The Financial Action Task Force (FATF) is an inter-governmental body whose purpose is the development and promotion of national and international policies to combat money laundering and terrorist financing."

Exclusive TowerGroup Research Report: Bank Tech Spending in 2008: "Though banks’ IT budgets are likely to shrink if economic conditions worsen, demand for technologies that improve efficiency and integration, client engagement, and security and fraud management will continue, according to TowerGroup research."

U.S. Department of Energy, Office of Inspector General, Office of Audit Services, Audit Report, Management of the Department's Publicly Accessible Websites, March 2008.

"Our audit identified several opportunities to improve the security and management of the Department's publicly accessible websites. Specifically:

• We identified over 50 significant cyber security incidents in the last three fiscal years, about half involving the defacement of web pages, which, in our judgment, could have been prevented had proper security controls been in place;
  
• Content on publicly accessible web servers was not always controlled and reviewed periodically, contributing to an additional eight incidents which involved the exposure of personally identifiable information to unauthorized or malicious sources; and,
  
• Most of the organizations reviewed also had not incorporated
  contingency/emergency planning features, provided accessibility for individuals with disabilities, and/or disabled unneeded computer services for their publicly accessible websites - factors that decreased the utility and increased the risk of malicious damage to those websites.

Press release: "...AirTight® Networks, the global leader for wireless intrusion prevention systems...issued the findings from its study to assess information security risk exposure of laptop users at fourteen airports in the United States, Canada and Asia. The company set out to understand the risks to business travelers and their corporate networks of data leakage while those airline passengers are sending sensitive information using unsecured wireless access points while at the airports. It found surprising results, however, regarding the security posture of private Wi-Fi networks in these airports as well as the rapid spread of viral Wi-Fi networks.

One of the most surprising findings of this initial study was that some ticketing systems, baggage systems, shops and restaurants were using open or poorly secured wireless networks. Of the Wi-Fi networks detected by AirTight researchers, 77 percent were non-hotspot (i.e. private) networks and of those, 80 percent were unsecured or using legacy WEP encryption, a fatally flawed protocol. Based on detailed analysis of these access points, there is a high probability that some of these networks are used for critical airport logistics and operations. The consequences of this lack of security could result in disruption of baggage or passenger ticketing systems."

DHS Fact Sheet: Cyber Storm II National Cyber Exercise - "In March 2008, the Department of Homeland Security’s National Cyber Security Division (NCSD) will sponsor its second large-scale national cyber exercise, Cyber Storm II. Planned in close coordination with and driven by its stakeholders and participants, the exercise will center on a cyber-focused scenario that will escalate to the level of a cyber incident requiring a coordinated Federal response. Exercises such as Cyber Storm II are critical in maintaining and strengthening cross-sector, inter-governmental and international relationships, enhancing processes and communications linkages, as well as ensuring continued improvement to cyber security procedures and processes. Cyber Storm II is part of Homeland Security's ongoing risk-based management effort to use exercises to enhance government and private sector response to a cyber incident, promote public awareness, and reduce cyber risk within all levels of government and the private sector."

HSS Office of Inspector General Privacy Act of 1974; Revisions to OIG’s Privacy Act System of Records: Criminal Investigative Files, Federal Register, March 4, 2008.

Chris Hoofnagle, Measuring Identity Theft at Top Banks (Version 1.0) February 26, 2008. Berkeley Center for Law and Technology. Law and Technology Scholarship (Selected by the Berkeley Center for Law & Technology). Paper 44.

Data Breach Notification Laws, State By State, by Scott Berinato, "More than five years after California's seminal data breach disclosure law, SB 1386, was enacted, not all states have followed suit. Eleven states still have not passed laws mandating that companies notify consumers when that company has lost the consumer's personal data. One state, Oklahoma, does have a breach notification law, but it only applies to state entities that have lost data. That leaves 38 states that have enacted some sort of breach disclosure law. This map will help you sort them out."

"The Safer Internet plus programme aims to promote safer use of the Internet and new online technologies, particularly for children, and to fight against illegal content and content unwanted by the end-user, as part of a coherent approach by the European Union."

News release: "A bi-partisan group of Senators from the Commerce, Science and Transportation Committee led by U.S. Senators Olympia J. Snowe (R-Maine), Bill Nelson (D-Florida) and the Committee’s Ranking Member Ted Stevens (R-Alaska), introduced today bi-partisan legislation aimed at ending the deceptive practice known as phishing. The Anti-Phishing Consumer Protection Act of 2008 would prohibit phishing – the deceptive solicitation of a consumer’s personal information through the use of emails, instant messages, and misleading websites that trick recipients into divulging their information for the purpose of identity theft. The legislation would also prohibit related abuses, such as the practice of using fraudulent or misleading domain names, by defining them as deceptive practices under the FTC Act."

Lest We Remember: Cold Boot Attacks on Encryption Keys, J. Alex Haldermany, Seth D. Schoenz, Nadia Heningery, William Clarksony, William Paulx, Joseph A. Calandrinoy, Ariel J. Feldmany, Jacob Appelbaum, and Edward W. Felteny. Princeton University, Electronic Frontier Foundation, Wind River Systems. February 21, 2008.

• Introductory blog post


• Frequently asked questions


• Experiment guide


• Videos and images


• Abstract: "Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at room temperature and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount successful attacks on popular disk encryption systems using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them."

"The FTC today released the list of top consumer fraud complaints received by the agency in 2007. The list, contained in the publication Consumer Fraud and Identity Theft Complaint Data January-December 2007, showed that for the seventh year in a row, identity theft is the number one consumer complaint category. Of 813,899 total complaints received in 2007, 258,427, or 32 percent, were related to identity theft.

The report breaks out complaint data on a state-by-state basis and also contains data about the 50 metropolitan areas reporting the highest per capita incidence of fraud and the 50 metropolitan areas reporting the highest incidence of identity theft.

The report states that credit card fraud was the most common form of reported identity theft at 23 percent, followed by utilities fraud at 18 percent, employment fraud at 14 percent, and bank fraud at 13 percent.

Consumers reported fraud losses totaling more than $1.2 billion; the median monetary loss per person was $349, the report states.

Educational Security Incidents (ESI) Year in Review - 2007: "By Adam Dodge - Posted on February 10, 2008: "The ESI Year in Review - 2007 examines all of the information security incidents occurring at colleges and universities around the world as reported in the news during 2007. 2007 marked a significant change for information security incidents reported in the news. Among the changes are an increase in both the number of incidents reported and the number of institutions reporting a breach as well as the addition to new categories such as incident type "Employee Fraud" and information type "Username and Password".

Press release: "In connection with the 5th Safer Internet Day1 on 12 February 2008, Eurostat, the Statistical Office of the European Communities, presents a selection of statistics concerning internet activities, security concerns and virus attacks. The Safer Internet Day is part of a global drive to promote a safer Internet for all users, in particular younger people, and is organised by Insafe, a European internet safety network co-funded by the European Commission...In the EU27 in 2007, nearly a quarter of internet users had had a computer virus in the preceding 12 months, which resulted in a loss of information or time. Virus attacks were most frequent in Lithuania (41% of users), Slovenia (35%) and Malta (34%) and least common in the Czech Republic (7%), Estonia (15%) and Sweden (16%)."

"Cisco® today announced key findings from its annual global study on remote workers' security awareness and online behavior, indicating how they can inadvertently heighten risks for themselves and the companies they work for. The study's findings are prompting Cisco security executives to offer recommendations to information technology (IT) professionals on how to protect their companies against threats and maximize the business benefits of distributed and mobile workforces."

Annual Threat Assessment of the Director of National Intelligence for the Senate Select Committee on Intelligence, February 5, 2008, J. Michael McConnell, Director of National Intelligence (47 pages, PDF).

Press release: "The FBI has recently developed information indicating cyber criminals are attempting to once again send fraudulent e-mails to unsuspecting recipients stating that someone has filed a complaint against them or their company with the Department of Justice or another organization such as the Internal Revenue Service, Social Security Administration, or the Better Business Bureau."
Related resources:

A Chronology of Data Breaches, updated January 30, 2008

"Criminals are hard at work thinking up creative ways to get malware on your computer, warns the Federal Trade Commission. With appealing Web sites, desirable downloads, and compelling stories, these criminals try to lure consumers to links that will download malware, especially on computers that don’t use adequate security software. Then, they use the malware – malicious software – to steal personal information, send spam, and commit fraud. A new publication from the FTC has information that could help consumers protect their computers against malware and reclaim their computer and electronic information if malware is already on their computer. The publication, Minimizing the Effects of Malware, provides tips on spotting malware, and urges consumers to act immediately if they suspect their computer is affected by malware."

"The Federal Energy Regulatory Commission (FERC) approved eight new mandatory critical infrastructure protection (CIP) reliability standards to protect the nation’s bulk power system against potential disruptions from cyber security breaches. These reliability standards were developed by the North American Electric Reliability Corporation (NERC), which FERC has designated as the electric reliability organization (ERO)...The final rule, Mandatory Reliability Standards for Critical Infrastructure Protection, takes effect 60 days from the later of either the date Congress receives the agency notice of the rule, or the date the rule is published in the Federal Register."

The eight CIP reliability standards address the following topics:
* Critical Cyber Asset Identification;
* Security Management Controls;
* Personnel and Training;
* Electronic Security Perimeters;
* Physical Security of Critical Cyber Assets;
* Systems Security Management;
* Incident Reporting and Response Planning; and
* Recovery Plans for Critical Cyber Assets.

SANS NewsBites - Volume: X, Issue: 5

Press release: "USA*Engage and the National Foreign Trade Council (NFTC) today sent formal comments to the U.S. Securities and Exchange Commission (SEC), recommending that the Commission reconsider its proposal to further develop mechanisms to facilitate greater access to companies’ disclosures concerning their business activities in or with certain countries designated as “state sponsors of terrorism.” In comments sent to the SEC, the associations noted that U.S. companies operating in such countries are conducting legal, legitimate business, and that the proposed mechanism actually punishes those companies who are most transparent."

Keep Your Enemies Close: Distance Bounding Against Smartcard Relay Attacks, by Saar Drimer and Steven J. Murdoch, Computer Laboratory, University of Cambridge

Washington Post, Online Records May Aid ID Theft, Government Sites Post Personal Data, By Bill Brubaker: "Social Security numbers are readily available in many courthouses -- in land records and criminal and civil case files -- as well as on many government Web sites that serve up public documents with a few clicks of a mouse. From state to state, and even within states, there is little uniformity in how access to the private information in these records is controlled."

US State Department's Overseas Security Advisory Council (OSAC) Activity Report: November 2007

Press release: "In a new report, the Federal Trade Commission staff describes findings from its July 2007 workshop, “Spam Summit: The Next Generation of Threats and Solutions” and proposes follow-up action steps that stakeholders can adopt to mitigate the harmful effects of malicious spam and phishing. In addition to proposing action steps for stakeholders, the report provides an overview of the agency’s decade-long role in protecting consumers from the threats of fraudulent spam and phishing. The report also announces results from staff’s 2007 Harvesting and Filtering Study, which suggest that Internet service providers’ spam filters continue to serve an integral role in reducing the amount of spam that reaches consumers’ in-boxes."

Ponemon 2007 Annual Study: U.S. Cost of a Data Breach - Understanding Financial Impact, Customer Turnover, and Preventitive Solutions: This study "was derived from a detailed analysis of 35 data breach incidents. According to the study, the cost per compromised customer record increased in 2007, compared to 2006. Lost business opportunity, including losses associated with customer churn and acquisition, represented the most significant component of the cost increase. Companies analyzed were from 16 different industries, including communications, consumer goods, education, entertainment, financial services, gaming, health care, hospitality, internet, manufacturing, marketing, media, retail, services, technology, and transportation."

DOE OIG Special Report: Management Challenges at the Department of Energy, December 2007

Press release: "The widespread use and availability of Social Security numbers puts Americans at risk for identity theft and should be restricted, according to Consumers Union, nonprofit publisher of Consumer Reports. The group urged policymakers to take action to protect consumers as part of a public forum on the issue organized by the Federal Trade Commission in conjunction with the President’s Identity Theft Task Force. Social Security numbers are particularly sensitive information because they can provide the key to unlocking a consumer’s financial identity... Jeannine Kenney, Senior Policy Analyst with Consumers Union...presented findings of a Consumer Reports National Research Center poll at the FTC forum showing that 89 percent of Americans want state and federal lawmakers to restrict the use and availability of Social Security numbers by businesses and government agencies. The poll also found that nearly all consumers want the right to freeze access to their credit files to prevent new account fraud. Currently 39 states and the District of Columbia give consumers the right to a security freeze and the three major credit bureaus have made the freeze available to consumers in the remaining states."

Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress, Updated November 15, 2007. "Cybercrime is becoming more organized and established as a transnational business. High technology online skills are now available for rent to a variety of customers, possibly including nation states, or individuals and groups that could
secretly represent terrorist groups. The increased use of automated attack tools by cybercriminals has overwhelmed some current methodologies used for tracking Internet cyberattacks, and vulnerabilities of the U.S. critical infrastructure, which are acknowledged openly in publications, could possibly attract cyberattacks to extort money, or damage the U.S. economy to affect national security...This report discusses options now open to nation states, extremists, or terrorist groups for obtaining malicious technical services from cybercriminals to meet political or military objectives, and describes the possible effects of a coordinated cyberattack against the U.S. critical infrastructure."

Awareness of Security Freeze Legislation and Use of Security Freezes by Consumers Age 18+ Research Report, Jennifer H. Sauer, M.A., AARP Knowledge Management, Neal Walters, AARP Public Policy Institute, November 2007

McAfee Virtual Criminology Report - Cybercrime: The Next Wave - The annual McAfee global cyber trends study into organized crime and the Internet in collaboration with leading international security experts, November 2007.

Press release: "The Federal Trade Commission today released a survey showing that 8.3 million American adults, or 3.7 percent of all American adults, were victims of identity theft in 2005. Of the victims, 3.2 million, or 1.4 percent of all adults, experienced misuse of their existing credit card accounts; 3.3 million, or 1.5 percent, experienced misuse of non-credit card accounts; and 1.8 million victims, or 0.8 percent, found that new accounts were opened or other frauds were committed using their personal identifying information."

20 November 2007, Statement to the House of Commons by Chancellor of the Exchequer, Alistair Darling, MP, on HMRC

"Fraud Awareness Week is dedicated to promoting fraud awareness and educating businesses and the public about the growing global impact of fraud. Therefore, this is an appropriate time to address and promote basic steps that can be taken to recognize, report, and reduce the risk of becoming a victim of fraudulent activities. In recognition of Fraud Awareness Week, NCJRS presents this online compilation of resources addressing fraud:

The University of Arizona Artificial Intelligence Lab Dark Web project: "Based on our actual spidering experience over the past 5 years, we believe there are about 50,000 sites of extremist and terrorist content as of 2007, including: web sites, forums, blogs, social networking sites, video sites, and virtual world sites (e.g., Second Life). The largest increase in 2006-2007 is in various new Web 2.0 sites (forums, videos, blogs, virtual world, etc.) in different languages (i.e., for home-grown groups, particularly in Europe). We have found significant terrorism content in more than 15 languages...We believe our Dark Web collection is the largest open-source extremist and terrorist collection in the academic world."

Press release: "Starting November 1, consumers in all 50 states will be able to freeze access to their credit files at all three major credit bureaus to prevent identity thieves from opening fraudulent accounts in their names. By that date, all three major credit bureaus will offer “security freeze” protection to all consumers living in the eleven states that have not passed laws requiring it and the five states that currently limit this protection to identity theft victims. To help consumers learn how to take advantage of this powerful identity theft safeguard, Consumers Union, the nonprofit publisher of Consumer Reports, is making available online an updated Guide to Security Freeze Protection."

Text of the Federal Register Notice [256 pages, PDF] - Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003: 16 C.F.R. Part 681 (Federal Trade Commission Rule): Joint Final Rules and Guidelines of the Office of the Comptroller of the Currency, Treasury; the Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation; the Offfice of Thrift Supervision, Treasury; the National Credit Union Administration; and the Federal Trade Commission.

CDT: "As it seeks models to address the mounting issues surrounding online behavioral targeting, the Federal Trade Commission (FTC) should begin by applying the principles it developed to guide its anti-spyware enforcement efforts, CDT said today. In comments submitted to the FTC in advance of its upcoming "town hall" meeting on behavioral advertising, CDT pointed out that the FTC's principles -- which center around the core concept that consumers should have ultimate control over their computers -- are directly applicable to behavioral advertising. In addition to filing its own comments, CDT also joined with other public interest advocates in offering a list of important questions the FTC must address over the course of the two-day meeting."

Press release, October 16, 2007: "Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) and Ranking Member Arlen Specter (R-Pa.) today introduced the bipartisan Identity Theft Enforcement and Restitution Act of 2007 to give federal prosecutors important new tools to combat the growing problem of identity theft and cyber crime.

The Identity Theft Enforcement and Restitution Act of 2007 would:

Press release: "With a full twelve months under our belt, today OpenDNS published the first-ever PhishTank annual report. The report looks at the more than 300,000 phishes you’ve submitted and helped verify over the course of one year. While some of the report’s findings come as no surprise (e.g., PayPal and eBay round out the top of the list of most spoofed brands), some are alarming. Perhaps the most important finding, and the one that drove us to come up with a fix, is that U.S. telecoms are hosting more phishes than telecoms in any other country."

National Institute of Standards and Technology, Computer Security Division: "SP 800-44 version 2, Guidelines on Securing Public Web Servers, is published as final. It is intended to aid organizations in the installation, configuration, and maintenance of secure public Web servers. It presents recommendations for securing Web server operating systems, applications, and content; protecting Web servers through the supporting network infrastructure; and administering Web servers securely. SP 800-44 version 2 also provides guidance on using authentication and encryption technologies to protect information on Web servers."

"Two of the key findings from this year’s Global Security Survey revolve around an organization’s people and a paradox that has been around for years. The weakest link in an organization’s security is its people. An organization’s people include employees, customers, third parties and business partners. And of those people, the highest number of breaches are perpetrated via the customer. Even though information security incidents are grabbing the attention of business executives and boards, these individuals do not yet feel that they “own” the problem. In their estimation, the execution of solutions is the mandate of IT. This information security paradox has been alive and well for years; the 2007 security survey confirms just how widespread it is."

National Southwest Border Counternarcotics Strategy - Unclassified Summary, October 2007

European Security Research Agenda: European Commission Working documents: Public-Private Dialogue in Security Research and Innovation: Summary of the Impact Assessment (SEC (2007); Public-Private Dialogue in Security Research and Innovation: Impact Assessment (SEC (2007)

StaySafeOnline.org: "The National Cyber Security Alliance (NCSA), a consortium of government agencies and private industry sponsors, is proud to designate October 2007 as National Cyber Security Awareness Month (NCSAM). National Cyber Security Awareness Month is a national campaign designed to increase the public's awareness of cyber security and cyber crime issues so that users can take precautions to avoid these threats on the Internet. The month will feature a number of initiatives including public relations activities, educational programs and events that target Home Users, Small Businesses, Education audiences (K-12 and higher education), and Child Safety online."

Press release: "Committee on Homeland Security Committee Chairman Bennie G. Thompson (D-MS) and Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology Chairman James R. Langevin (D-RI) sent a letter on Friday to Richard L. Skinner, Inspector General of the Department of Homeland Security to request an investigation into cyber attacks on the Department initiated by foreign entities and relating to incompetent and possibly illegal activity by the contractor charged with maintaining security on its networks. Links to the letter and its enclosure."

Press release: "Attorney General Andrew Cuomo announced today that his office is investigating Facebook over representations the company makes about safety measures in place on its website. In a letter accompanying a subpoena for documents, Cuomo warned the company that a preliminary review conducted by his office revealed significant defects in the site’s safety controls and the company’s response to complaints - deficiencies that stand in contrast to the reassuring statements made on the website and by company officials."

Press release: "Four out of five companies have suffered from corporate fraud in the past three years, according to a survey from Kroll, the world’s leading risk consulting company. New technologies, new investors and expansion into new overseas markets have opened the door to different forms of fraud, the report concludes. In some sectors, more than a fifth of companies have lost more than $1m...The report draws on a survey by the Economist Intelligence Unit of 900 senior executives worldwide."

Press release: "Electronic Frontiers Australia (EFA) today slammed a Bill introduced into the Senate which would give members of the Australian Federal Police powers to ban access to Internet content. The Communications Legislation Amendment (Crime or Terrorism Related Internet Content) Bill 2007 would, if enacted, give senior members of the Australian Federal Police powers to ban access to Internet content which they "have reason to believe": encourages, incites, or induces the commission of a Commonwealth offence; or was published in part to facilitate the commission of such an offence; or that it is likely to have the effect of facilitating the commission of such an offence."

EPIC: "The Data Privacy and Integrity Advisory Committee of the Department of Homeland Security held a series of panel discussions on the topic of "information fusion centers." EPIC's statement to the committee made specific recommendations on the need to create accountability, oversight, and greater transparency on the work of fusion centers. So far DHS has awarded over $380 million in grants to local and state law enforcement to build 43 of the planned 70 interconnected computer networks. The domestic surveillance project is compiling, analyzing, and disseminating detailed personal information for intelligence and other purposes. DHS says it wants to use fusion centers to prevent terrorism, but local and state police want the centers to support their efforts to anticipate, identify, prevent, and/or monitor crime. See EPIC's page on Fusion Centers and Spotlight on Surveillance."

Press release: "The FTC today told the Maryland Task Force on Identity Theft that public organizations, including federal, state, and local governments, “play a critical role in guarding against misuse and unauthorized disclosure of the personal information they collect and maintain.” Speaking before the Maryland Task Force to Study Identity Theft, Betsy Broder, Assistant Director of the FTC’s Division of Privacy and Identity Protection said, “To succeed in the battle against identity theft, federal, state and local governments, working together with the private sector, must make it more difficult for thieves to obtain the information they need to steal identities, make it more difficult to use that information if they do obtain it, and assist victims when thefts occur.”

Press release: "The FTC today told the Senate Committee on Commerce, Science & Transportation Subcommittee on Interstate Commerce, Trade and Tourism that it has a robust record in protecting consumers and preserving competition in the marketplace...Speaking for the Commission, Chairman Deborah Platt Majoras said that much of the work of the FTC’s Bureau of Consumer Protection has been devoted to data security and identity theft, technology risks to consumers, fraud in the marketing of health care products, financial practices, telemarketing fraud, and enforcement of the National Do Not Call Rule."

"Terrorists and extremists have set up shop on the Internet, using it to recruit new members, spread propaganda and plan attacks across the world. The size and scope of these dark corners of the Web are vast and disturbing. But in a non-descript building in Tucson, a team of computational scientists are using the cutting-edge technology and novel new approaches to track their moves online, providing an invaluable tool in the global war on terror. Funded by the National Science Foundation and other federal agencies, Hsinchun Chen and his Artificial Intelligence Lab at the University of Arizona have created the Dark Web project, which aims to systematically collect and analyze all terrorist-generated content on the Web."

PC World: Study Finds Spam's Achilles Heel - "Researchers say they've discovered a critical weakness in the spam infrastructure."

Freedom and Information: Assessing Publicly Available Data Regarding U.S. Transportation Infrastructure Security, August 8, 2007: "This report concerns the feasibility of obtaining information relevant to planning terrorist attacks from publicly available sources. To the extent that such information is available, it is particularly valuable to terrorist planners in that it can generally be obtained at lower cost, risk, and effort than more direct forms of gathering information such as observation of a potential target. Familiarity with public sources of information is also valuable to defenders. If they are unaware that a terrorist group knows or can easily learn about a particular vulnerability, that vulnerability can be exploited more easily."

Erickson, K., & Howard, P. (2007). A case of mistaken identity? News accounts of hacker, consumer, and organizational responsibility for compromised digital records. Journal of Computer-Mediated Communication, 12(4), article 5.

UK House of Lords, Science and Technology Committee, 5th Report of Session 2006-2007: Personal Internet Security, August 10, 2007 (121 pages, PDF)

"The risk associated with using the Internet remains high. Our State of the Net assesses the likelihood and impact of four leading online hazards, listed in order of incidence, based on the survey by the Consumer Reports National Research Center and our follow-up investigation."

Press release, July 19, 2007: "The Department of Justice today submitted to Congress new proposed legislation that seeks to update and improve current laws aimed at protecting Americans from the increasingly sophisticated crime of identity theft. The proposed bill, titled the Identity Theft Enforcement and Restitution Act of 2007, was a significant recommendation included in the final strategic plan from the President’s Task Force on Identity Theft released in April 2007. The strategic plan was the result of an unprecedented federal effort to formulate a comprehensive and fully coordinated plan to attack identity theft at all levels in the public and private sectors. Among other provisions, the proposed legislation seeks to ensure that victims of identity theft can recover the value of the time lost attempting to repair damage inflicted by identity theft. Under current law, restitution to victims from convicted thieves is available only for the direct financial costs of identity theft offenses."

Top 10 Risks Impeding the Adequate Protection of Government Information, Sponsored by the Office of Management and Budget and the Homeland Security Department as Directed by the Identity Theft Task Force, July 2007.

sfgate.com - ON THE RECORD: DEBORAH MAJORAS CHAIRWOMAN, FTC: "She shares her thoughts on what her agency can -- and cannot -- do on everything from mergers to fraud to privacy to gas prices to infomercials," Sunday, July 15, 2007

Spam Summit: The Next Generation of Threats and Solutions: "A two-day conference that will bring together experts from the business, government, and technology sectors, consumer advocates, and academics to explore consumer protection issues surrounding spam, phishing and malware. The agenda and a list of participants can be found here."

Press release: "Google Inc. announced today that it has signed a definitive agreement to acquire Postini, a global leader in on-demand communications security and compliance solutions serving more than 35,000 businesses and 10 million users worldwide. Postini's services -- which include message security, archiving, encryption, and policy enforcement -- can be used to protect a company's email, instant messaging, and other web-based communications. Under the terms of the agreement, Google will acquire Postini for $625 million in cash, subject to working capital and other adjustments, and Postini will become a wholly-owned subsidiary of Google. The agreement is subject to customary closing conditions and is expected to close by the end of the third quarter 2007."

Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown. GAO-07-737, June 4, 2007.

Toward a Safer and More Secure Cyberspace, Seymour E. Goodman and Herbert S. Lin, Editors, Committee on Improving Cybersecurity Research in the United States, National Research Council, 272 pages, pre-publication copy, 2007.

Press release: "Fidelity National Information Services, Inc. announced today that its subsidiary, Certegy Check Services, Inc., a service provider to U.S. retail merchants, based in St. Petersburg, Fla., was victimized by a former employee who misappropriated and sold consumer information to a data broker who, in turn, sold a subset of that data to a limited number of direct marketing organizations...The misappropriated information included names, addresses and telephone numbers as well as, in many cases, dates of birth and bank account or credit card information. Approximately 2.3 million records are believed to be at issue, with approximately 2.2 million containing bank account information and 99,000 containing credit card information. The company is still investigating the time period over which the misappropriations occurred."

Administrative Investigation Loss of VA Information VA Medical Center Birmingham, AL [Rpt. #07-01083-157 6/29/2007]

MessageLabs Intelligence Report: Increased Number of Spam Spikes and New Image Spam Techniques Cause Trouble for Businesses: "Analysis of [May 2007] data showed that spammers continue to innovate and employ new methods to elude traditional anti-spam solutions. Rather than embedding images in the body of an email message, spammers are now hosting images on sites that do not require registration and include links to those sites or an HTML image in the email message."

NEWS.COM Special Report: Wardens of the WebTalkBack: Global security challenge falls to an elite corps, June 25, 2007

Treasury Inspector General for Tax Administration. Progress Has Been Slow in Meeting Homeland Security Presidential Directive–12 Requirements, June 20, 2007. Reference Number: 2007-20-110

Hacking the Homeland: Investigating Cybersecurity Vulnerabilities at the Department of Homeland Security, Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, Wednesday, June 20, 2007. [links to prepared statements, testimony and relevant correspondence]

Review of the Department of Justice’s Reporting Procedures for Loss of Sensitive Electronic Information, Evaluations and Inspections Report I-2007-005, June 2007.

Privacy Policy Guidance Memorandum 2007-02 Regarding Use of Social Security Numbers at the Department of Homeland Security, June 4, 2007 (PDF, 4 pages)

"This National Institute of Justice Special Report is intended as a resource for individuals responsible for investigations involving the use of the Internet and other computer networks. Any crime could involve devices that communicate through the Internet or through a network. Criminals may use the Internet for numerous reasons, including trading/sharing information (e.g., documents, photographs), concealing their identity, and gathering information on victims. The report is among a series of guides on investigating electronic crime."

Press release: "[June 13, 2007] the Department of Justice and FBI announced the results of an ongoing cyber crime initiative to disrupt and dismantle “botherders” and elevate the public’s cyber security awareness of botnets. OPERATION BOT ROAST is a national initiative and ongoing investigations have identified over 1 million victim computer IP addresses. The FBI is working with our industry partners, including the CERT Coordination Center at Carnegie Mellon University, to notify the victim owners of the computers. Through this process the FBI may uncover additional incidents in which botnets have been used to facilitate other criminal activity."

Press release: "Tens of thousands of consumers are unwitting accomplices of illegal spammers and at the mercy of identity thieves, warns the Federal Trade Commission. These consumers’ computers have been secretly hijacked by criminals who install spam-sending software and spyware on the computers when consumers open malicious e-mail attachments or visit a malicious Web site. After gaining access to consumers’ computers, the criminals can track consumers’ Internet surfing, steal personal information, and turn the computers into spam “zombies” that are part of a “botnet” made up of thousands of home computers through which spammers route spam. In a new consumer alert, Botnets and Hackers and Spam (Oh, My!), the FTC urges consumers to secure their personal information and stop assisting spammers."

"The anti-phishing research group at Indiana University, stop-phishing.com, is striving to understand, detect and prevent online fraud, and in particular, to reduce the economic viability of phishing attacks. We achieve this goal through a cross-disciplinary research agenda in which we consider all facets of the problem, ranging from psychological aspects and technology matters to legal issues and interface design considerations. We are attuned to needs and concerns within the financial sector, among privacy advocates, and of common users, and are dedicated to turning the tide."

Press release: "Software security researchers can disclose vulnerabilities almost to their hearts' content. Web security researchers, on the other hand, can go to jail for merely looking for a vulnerability, much less disclosing one publicly. The inaugural report of CSI's new working group explains why, and whether the legal climate is bad for the Internet."

Press release: "This Web site has been established to provide information about an Information Technology Security Incident in which a security breach in a computer application resulted in exposure of sensitive information belonging to current and former University of Virginia faculty members. A criminal investigation is being conducted by University of Virginia Police in consultation with the FBI and the University’s computing and audit professionals. The investigation has revealed that hackers tapped into the records of 5,735 faculty members."

Cooperation against Cybercrime: 11-12 June 2007, Palais de l’Europe, Strasbourg, France: "Societies worldwide rely on information and communication technologies. However, the increasing dependency on such technologies is accompanied by a growing vulnerability to criminal intrusion and misuse. In response to these challenges the Council of Europe adopted the Convention on Cybercrime (ETS 185) in 2001 and the Protocol on the Criminalisation of Acts of a Racist and Xenophobic Nature Committed through Computer Systems (ETS 189) in 2003."

The State of Search Engine Safety, June 4, 2007 - Ben Edelman, Advisor to McAfee SiteAdvisor and Hannah Rosenbaum - Research Analyst, McAfee SiteAdvisor

M-07-18, Ensuring New Acquisitions Include Common Security Configurations (June 1, 2007)

Press release, May 31, 2007: Attorney General Richard Blumenthal, with attorneys general from 43 other states, announced a settlement today with ChoicePoint for allegedly failing to adequately protect consumers' personally identifiable information, resulting in a massive security breach. The Atlanta-based ChoicePoint, which collects and maintains personally identifiable information on consumers, provides identification and credential verification services to businesses, government and non-profit organizations. In February 2005, ChoicePoint announced that criminals posing as legitimate businesses accessed consumers' personally identifiable information. The company notified more than 145,000 consumers nationwide whose information may have been compromised - including nearly 6,000 from Connecticut. Under today's settlement, ChoicePoint has agreed to adopt significantly stronger security measures. Those measures include written certification and, in some cases, on-site visits by ChoicePoint to ensure the legitimacy of companies before they are allowed access to personally identifiable information. ChoicePoint will also conduct periodic audits to ensure that companies are using consumer data for legitimate purposes."

Prepared Statement of the Federal Trade Commission On Public Entities, Personal Information, and Identity Theft, Presented by Betsy Broder, Assistant Director, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Before the Ohio Privacy and Public Records Access Study Committee of the Ohio Senate and House of Representatives, May 31, 2007.

Press release: "...a recent TriCipher Consumer Online Banking Study, conducted by Javelin Strategy and Research, reveals that consumers would take advantage of more online banking services if banks provided stronger identity protection. The TriCipher Consumer Online Banking Study included 3,349 respondents from a random-sample panel that was representative of the U.S. population. Surprising findings uncovered that nearly 1 in 5 - estimated at 26 million - adult consumers have been victims of identity theft or fraud in their lives. And, according to survey results, over 88 million online banking customers would switch banks, or reduce online banking usage, if news reports exposed their individual institution as compromised."

Clay Johnson III, Deputy Director for Management, Office of Management and Budget: M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007 (22 pages, PDF)

Earthtimes reports that a recent "internal survey conducted by search engine giant Google has revealed that one in every 10 pages scanned by the company is infected with malicious software that can harm the users' PC."

FinancialPrivacyNow.org: "Identity theft is one of the fastest growing financial crimes. Nearly 10 million Americans fall victim each year. The Identity Theft Resource Center reported in 2005, on average, an ID theft victim of new account and other fraud spent 60 hours resolving problems brought on by ID theft, those victims of existing accounts spent an average of 15 hours resolving problems. A 2003 Federal Trade Commission study found that identity theft also costs U.S. businesses nearly $48 billion annually, and consumers an additional $5 billion per year. A security freeze lets consumers stop thieves from getting credit in their names. A security freeze locks, or freezes, access to the consumer credit report and credit score. Without this information, a business will not issue new credit to a thief. When the consumer wants to get new credit, he or she uses a PIN to unlock access to the credit file. These states [included at this link] give consumers this important weapon to prevent identity theft. (updated 5/8/07)"

Follow up to May 5, 2007 posting, Missing TSA Hard Drive Has Data on 100,000 Employees, this additional update from the TSA: "Today the Transportation Security Administration (TSA) announced a benefit package to provide employees and former employees affected by the data security incident with free credit monitoring for up-to one year. In addition to credit monitoring, the package includes ID theft insurance up to $25,000, fraud alerts and identity restoration specialists who will complete paperwork and assist employees in the event they are a victim of identity theft. Current and former employees can register via phone, mail or online through a secure web site. More information is available at www.tsa.gov, including a list of frequently asked questions."

Press release, May 4, 2007: "Yesterday the Transportation Security Administration (TSA) became aware of a potential data security incident involving approximately 100,000 archived employment records of individuals employed by the agency from January 2002 until August 2005. An external hard drive containing personnel data (including name, social security number, date of birth, payroll information, bank account and routing information) was discovered missing from a controlled area at the TSA Headquarters Office of Human Capital. It is unclear at this stage whether the device is still within headquarters or was stolen. TSA immediately reported the incident to senior DHS and law enforcement officials and launched an investigation. TSA is treating this incident as a criminal matter and has asked the FBI to investigate. The U.S. Secret Service is also assisting in the forensic review of equipment and facilities. TSA is cooperating fully." [Wired Blog]

Senate Committee on Homeland Security and Governmental Affairs hearing on The Internet: A Portal to Violent Islamist Extremism, May 3, 2007.

Prepared testimony submitted for this hearing:

Press release: "Today, the House Judiciary Committee approved four crime bills and sent them to the House floor for consideration. The bills were: HR 1700, the "COPS Improvement Act of 2007;" HR 916, the "John R. Justice Prosecutors and Defenders Incentive Act of 2007;" HR 1525, the "Internet Spyware Prevention Act of 2007;" and, HR 1615, the "Securing Aircraft Cockpits Against Lasers Act."

Press release: "Today, Committee on Homeland Security Chairman Bennie G. Thompson (D-MS) joined committee members in a letter to Department of Homeland Security Chief Information Officer Scott Charbo requesting information about the security of the Department’s networks. The letter follows up on a recent cybersecurity hearing, where members learned about the widespread hacking of government networks at the Departments of State and Commerce. The letter...poses 13 questions for response."

Press release: "Attorney General Alberto R. Gonzales and Federal Trade Commission Chairman Deborah Platt Majoras today announced the completion of the President’s Identity Theft Task Force strategic plan to combat identity theft. The strategic plan is the result of an unprecedented federal effort to formulate a comprehensive and fully coordinated plan to attack this widespread and destructive crime. The plan focuses on ways to improve the effectiveness of criminal prosecutions of identity theft; enhance data protection for sensitive consumer information maintained by the public sector, private sector, and consumers; provide more comprehensive and effective guidance for consumers and the business community; and improve recovery and assistance for consumers."

Related Documents:
Combating Identity Theft: A Strategic Plan, Final recommendations released April 23, 2007

Press release: "UK consumers are not as risk-averse when it comes to using online services as previously thought, according to recent research conducted by BT. Despite daily warnings about security threats and cyber-criminals, people are willing to take risks online, as long as they feel informed, and it is clear how consequences will be addressed. According to the findings from the Trustguide report, which was a collaborative research project by BT with support from the DTI, people use specific online services not because they trust them, but because they believe the benefits outweigh the risks. Government and private industry must therefore take responsibility for educating and reassuring the public that safeguards are in place, if they are to succeed with e-Government and e-Commerce initiatives..Based on the research, the Trustguide report outlines a set of guidelines to inform policy making and service development for ICT delivered services. In addition to enabling better-informed decision-making through education, and advising users of restitution and guarantee measures should something go wrong, the report highlights the need for greater honesty and transparency of data usage by service providers.

Anti-Phishing Working Group (APWG), Phishing Activity Trends for February 2007 (8 pages, PDF)

Tech//404® Data Loss Cost Calculator: "Data loss resulting from network security breaches and identity theft has become a regular occurrence. While the number of affected records can vary widely in any given data loss scenario, a recent study by the Ponemon Institute found that the average number was roughly 99,000. For recent examples and media reports, visit the data loss archive. Darwin created the Tech//404® data loss cost calculator as a tool to demonstrate the scope of negative financial impact an organization may face as a result of a data breach or identity theft data loss scenario. The calculator will automatically generate an average cost, and a plus/minus 20% range, for expenses associated with internal investigation, notification/crisis management and regulatory/compliance if the incident were to give rise to a class action claim."

Press release: "Former 9/11 Commission counsel Janice Kephart announces the launch of an online Identity Document Security Library, consisting of legal, technical and policy pieces regarding identity document security. Kephart, a nationally recognized border security expert, created the library to serve as a 'one-stop-shop' information portal for those seeking objective, credible information on the issue of identity document security...The issue of identity, and information about identity, underlies the 9/11 Commission's border work, whose recommendations included the creation of minimum standards for state-issued driver licenses and IDs. Kephart's recently issued white paper, Identity and Security: Moving Beyond the 9/11 Staff Report on Identity Document Security, maintains that securing identities and identity documents is perhaps the single most effective measure the United States can take to lay a foundation for national and economic security and public safety."

"The Symantec Internet Security Threat Report offers analysis and discussion of threat activity over a six-month period. It covers Internet attacks, vulnerabilities, malicious code, phishing, spam and security risks as well as future trends. The eleventh version of the report, released March 19, 2007, is now available."

Press release: "The Federal Trade Commission today told the Senate Judiciary Committee Subcommittee on Terrorism, Technology, and Homeland Security that “the government and the private sector must continue to work together to reduce the opportunities for thieves to obtain consumers’ personal information and make it more difficult for thieves to misuse that information if they obtain it.” Lydia Parnes, Director of the FTC’s Bureau of Consumer Protection, said government and the business community should evaluate whether they need to collect and maintain the data they have about consumers, better-protect the data that they do possess, and develop better ways to authenticate customers to keep identity thieves from using the information they steal."

Press release: "If Assistant Professor of Communication at the University of Washington Phil Howard's calculations prove true, by year's end the 2 billionth personal record -- some American's social-security or credit-card number, academic grades or medical history -- will become compromised, and it's corporate America, not rogue hackers, who are primarily to blame. By his reckoning, electronic records in the United States are bleeding at the rate of 6 million a month in 2007, up some 200,000 a month from last year."

Press release: "The FBI’s Internet Crime Complaint Center (IC3) today released its annual Internet Fraud Crime Report. From January 1 through December 31, 2006, the center received 207,492 complaint submissions. These filings were composed of fraudulent and non-fraudulent complaints primarily related to the Internet and included many different fraud types to include auction fraud, non-delivery, and credit/debit card fraud, as well as non-fraudulent complaints, such as computer intrusions, spam/unsolicited email..."

Press release: "The U.S. Department of Homeland Security and Alabama state officials unveiled today the National Computer Forensic Institute in Hoover, Ala., that will assist in the field of computer forensics and digital evidence analysis. The institute will be developed by the U.S Secret Service and is partially funded by the department’s National Cyber Security Division. It will serve as a national cyber crimes training facility where state and local police officers, as well as prosecutors and judges, will be offered training and equipment."

SEC press release: "The Securities and Exchange Commission this morning suspended trading in the securities of 35 companies that have been the subject of recent and repeated spam email campaigns (see examples). The trading suspensions - the most ever aimed at spammed companies - were ordered because of questions regarding the adequacy and accuracy of information about the companies. The trading suspensions are part of a stepped-up SEC effort - code named "Operation Spamalot" - to protect investors from potentially fraudulent spam email hyping small company stocks with phrases like, "Ready to Explode," "Ride the Bull," and "Fast Money." It's estimated that 100 million of these spam messages are sent every week, triggering dramatic spikes in share price and trading volume before the spamming stops and investors lose their money."

Press release: "The arm of the FBI that investigates financial crimes ranging from underground pyramid schemes to institutionalized fraud in the nation’s corporate suites has issued its annual report detailing the most prevalent types of schemes investigators tackled in 2006. The Financial Crimes Report to the Public is prepared each year by the Financial Crimes Section of the FBI's Criminal Investigative Division. The report, which covers a 12-month period ending September 30, 2006, explains in detail dozens of fraud schemes, tallies FBI accomplishments combating the crimes, and offers tips the public can use to protect itself."

Press release: "...the Department of Commerce's United States Patent and Trademark Office (USPTO) released a report that concludes that the distributors of five popular filesharing programs repeatedly deployed features that they knew or should have known could cause users to share files inadvertently. The report, Filesharing Programs and "Technological Features to Induce Users to Share, identifies five features in recent versions of five popular filesharing programs that could cause users to inadvertently distribute to others downloaded files or their own proprietary or sensitive files. "Computer programs that can cause unintended filesharing contribute to copyright infringement, and they threaten the security of personal, corporate, and governmental data," noted Jon Dudas, under secretary of commerce for intellectual property-the Bush Administration's point person on copyright policy."

E-Commerce Times:

"On April 23 and 24, 2007, the Federal Trade Commission will host a public workshop, Proof Positive: New Directions in ID Authentication, to explore methods to reduce identity theft through enhanced authentication. The workshop will facilitate a discussion among public-sector, private-sector, and consumer representatives, and will focus on technological and policy requirements for developing better authentication processes, including the incorporation of privacy standards and consideration of consumer usability issues."

Findings from a new study by ID Analytics, reported by ComputerWeek, indicate that "....the riskiest states for ID theft are New York, California, Nevada and Arizona, while the safest ones are Wyoming, Vermont, Montana and North Dakota. The riskiest 5-digit zip codes for ID theft -- after Floral Park and Faulkton -- are Old Bethpage, N.Y., New York City and Manhasset, N.Y."

"The Federal Bureau of Investigation (FBI) has launched a service that sends out electronic mail (e-mail) alerts when new and vital information is posted on the FBI.gov Web site. Subscribers select which topics that they want updates on, such as new electronic scams (e-scams) and warnings, most wanted terrorists, top ten fugitives, and local and national press releases. The alerts are transmitted as soon as updates are posted to the FBI's Web site or published in their daily, weekly, or monthly digests. The FBI views this service as a means of furthering American citizens' safety by keeping them informed. No personal information is required to sign up for this service, just an e-mail address to where the alerts will be sent. To sign up for the service please visit the www.FBI.gov."

Press release: "The Federal Trade Commission today issued its annual report, “Consumer Fraud and Identity Theft Complaint Data” on complaints consumers have filed with the agency. For the seventh year in a row, identity theft tops the list, accounting for 36 percent of the 674,354 complaints received between January 1 and December 31, 2006. Other categories near the top of the complaint list include shop-at-home/catalog sales; prizes, sweepstakes and lotteries; Internet services and computer complaints; and Internet auction fraud."

New York State Office of the CIO: "Identity and Access Management (IAM) provides an effective way to protect computer-based services and data for all state and local agencies from unauthorized access. Organizational business requirements often result in the need to grant external users access to services and data or to achieve multi-organizational system interoperability. Demand has become more prevalent due to legislative mandates and increasing connectivity offered by public and private networks. Issuing the NYS Trust Model as a best practice guideline (G07-001) is the first step in establishing a long term Identity and Access Management (IAM) strategy for the state enterprise. The NYS Trust Model establishes basic standards and processes that govern how identity credentials are issued, protected and managed."

Inspection Letter Report, Alleged Loss or Theft of Personally Identifiable Information at Pantex, February 2, 2007.

The Emperor's New Security Indicators, An evaluation of website authentication and the effect of role playing on usability studies, working draft released February 4, 2007. Authors: Stuart E. Schechter (MIT), Rachna Dhamija (Harvard), Andy Ozmet (MIT), Ian Fischer (Harvard).

"The Javelin 2007 Identity Fraud Survey Report provides a detailed, comprehensive analysis of identity fraud in the United States, in order to help consumers and businesses better understand the effectiveness of methods used for its prevention, detection and resolution. A nationally representative sample of over 5,000 US adults, including 458 fraud victims, is surveyed via a 44-question phone interview to gain insight into this crime and its effects upon its victims. This report is issued as a longitudinal update to the Javelin 2006 Identity Fraud Survey Report, the Javelin 2005 Identity Fraud Survey Report and the Federal Trade Commission’s (FTC) 2003 Identity Theft Survey Report. Report Preview."

Convergence of Physical and Cyber Technologies and Related Security Management Challenges Working Group Final Report and Recommendations (PDF, 42 pages), January 19, 2007 and Transmittal Letter (PDF, 2 pages), January 19, 2007.

Press release: "The University of New Hampshire Cyber Threat Calculator was unveiled Thursday, January 25, 2007, at the Department of Defense Cyber Crime Conference 2007 in St. Louis, Missouri. The UNH Cyber Threat Calculator was developed by researchers at UNH Justiceworks and students, and offers a new method to identify and quantify the threats posed to the United States' cyber infrastructure."

"This National Institute of Justice Special Report is intended as a resource for individuals responsible for investigations involving the use of the Internet and other computer networks. Any crime could involve devices that communicate through the Internet or through a network. Criminals may use the Internet for numerous reasons, including trading/sharing information (e.g., documents, photographs), concealing their identity, and gathering information on victims."

Press release: "The FBI in Los Angeles announced it opened an investigation to determine who hacked into a restricted database at the University of California at Los Angeles (UCLA) that held the names and personal information of some 800,000 students, faculty, and alumni. Anyone who thought they had been further victimized as a result of the breach was encouraged to contact the Internet Crime Complaint Center (IC3)."

Press release: "U.S. Senator Dianne Feinstein (D-Calif.) today reintroduced two bills [Notification of Risk to Personal Data Act and the Social Security Number Misuse Prevention Act] aimed at protecting individuals from identity theft by requiring businesses to notify consumers in the event of a security breach and prohibiting the sale or display of an individual’s Social Security number without his or her consent. Senator Feinstein said that the increased frequency of data breaches demonstrates that the legislation is needed sooner rather than later. Major data breaches have occurred in recent months at Boeing, UCLA, the Colorado Department of Human Services, Starbucks, the Chicago Voters' Database, and Akron Children's Hospital."

Press release, January 4, 2007: "Cisco today announced a definitive agreement to acquire the privately held company, IronPort Systems, Inc. of San Bruno, Calif. IronPort is a leading provider of messaging security appliances, focusing on enterprise spam and spyware protection."
Related news:

2006: The Year in Security -Online attacks, spam, and sneaky cybercrime top list of year's most common security issues.

Press release: "Attorney General Kelly Ayotte announced today that if you live in New Hampshire, effective January 1, 2007 you will have the right to put a "security freeze" on your credit file. A security freeze means that your file cannot be shared with potential creditors. A security freeze can help prevent identity theft. Most businesses will not open credit accounts without first checking a consumer's credit history. If your credit files are frozen, even someone who has your name and Social Security number would probably not be able to get credit in your name. The security freeze legislation passed in the 2006 legislative session....A security freeze fact sheet, including step by step instructions on how to place a security freeze, is available here."

Press release: Among the predicitions, is the following - "Blogging and community contributors will peak in the first half of 2007. Given the trend in the average life span of a blogger and the current growth rate of blogs, there are already more than 200 million ex-bloggers. Consequently, the peak number of bloggers will be around 100 million at some point in the first half of 2007."

From Bank System and Technology:

Press release: "The Commission today called on all regulatory authorities and stakeholders in Europe to step up the fight against spam, spyware and malicious software. Despite existing EU legislation to outlaw spam in Europe, Europe continues to suffer from illegal online activities from inside the EU and from third countries, the Commission underlines in a new Communication. The Communication stresses that although internet safety is on the political agenda for some time, national authorities should step up their actions to prosecute illegal online activities."

Audit Report - Secretary of Energy From DOE Inspector General Gregory Friedman, Selected Controls over Classified Information at the Los Alamos National Laboratory, November 27, 2006.

Status Report on OIG Data Security via the Data Security Portal: "Our November 21, 2006, status report notes several important developments, including the fact that as a result of our investigation in cooperation with the Federal Bureau of Investigation and the Miami-Dade County Police Department, two individuals have been arrested for their alleged roles in a small Miami-area laptop theft ring. While the OIG's laptops have not been recovered, there has been no credit fraud resulting from the laptop thefts and we believe that the risk of credit fraud in the future is very low. A firm hired to perform data breach analysis has failed to find any misuse of information on the laptops, and will continue to analyze the information..."

Information Security: Agencies Need to Develop and Implement Adequate Policies for Periodic Testing. Full text, GAO-07-65, and Highlights, October 20, 2006.

"Up to 80% of spam targetted at Internet users in North America and Europe is generated by a hard-core group of around 200 known professional spam gangs whose names, aliases and operations are documented in Spamhaus' Register Of Known Spam Operations (ROKSO) database. This TOP 10 chart of ROKSO-listed spammers is based on those Spamhaus views as the highest threat, the worst of the career spammers causing the most damage on the Internet currently. Spamhaus flags these as a priority for Law Enforcement Agencies."

DOJ OIG - Top Management Challenges in the Department of Justice - 2006 Challenges [Full Report]

Section by section:

Press release: "Symantec Corp...announced the opening of the Symantec Phish Report Network to consumers worldwide. As one of the world's leading antifraud communities, the Symantec Phish Report Network, launched in May 2006, allows member companies to contribute and receive fraudulent Web site addresses that they can use in their antiphishing solutions to help protect users from online fraud. Consumer input further helps the Symantec Phish Report Network's fight against online fraud and will aid in preventing other computers users from becoming victims."

Follow up to previous postings on ChoicePoint and data breaches, today's New York Times article, Keeping Your Enemies Close, provides a chronology of how the company has made inroads in rehabilitating its reputation.

Will Knight at New Scientist reports the research by Professor Markus Jakobsson and grad student Jacob Ratkiewicz, Indiana University, indicates "...one in 10 internet users may be lured into handing over sensitive personal information such as a credit card number, by fraudulent "phishing" emails..." and "that some survey participants may not have realised that they have been stung by a phishing scam, or may simply be too embarrassed to admit to it."

Press release: "The aim is to develop a major command that stands alongside Air Force Space Command and Air Combat Command as the provider of forces that the President, combatant commanders and the American people can rely on for preserving the freedom of access and commerce, in air, space and now cyberspace," said Secretary of the Air Force Michael W. Wynne.

"The Symantec Internet Security Threat Report offers analysis and discussion of threat activity over a six-month period. It covers Internet attacks, vulnerabilities, malicious code, phishing, spam, security risks, and future trends. The tenth version of the report, released September 25, is now available."

Press release: "In a report released today, Reps. Davis and Waxman summarize information provided to the Committee by 19 federal departments and agencies regarding the loss or compromise of personal information since January 2003. The report finds that every agency has experienced at least one such breach and that the agencies do not always know what information has been lost or how many individuals could be affected."

Key Conclusions:

Press release, October 4, 2006: "As information security concerns among consumers and other customer constituencies rise, just 29 percent of marketers say that their firm has a crisis containment plan in case of a security breach, according to findings of a major research initiative by the Chief Marketing Officer (CMO) Council. Without such a plan and other security strategies in place, companies are at risk of losing hundreds of million of dollars in market value and loss of reputation and brand trust, according to the study's findings."

Launched today, the Take a Byte Out of Cybercrime website: "Led by the beloved McGruff character, the National Crime Prevention Council, the CMO Council and FAME have joined forces to bring together one of the largest and most influential coalitions of private and public companies whose primary goal is to teach millions of consumers how to identify, report and protect themselves against cyber crime." [download the tip sheets]

Press release: "The Metropolitan Police Computer Crime Unit is investigating data recovered from a computer in the United States that was found to contain personal information from hacked computers located in the United Kingdom. We believe the data has been stolen by the use of a computer virus and it is believed more than 2,300 compromised computers in the UK consisting of 83,000 files have been targeted."

(U) Office of Inspector General Laptop Computers are Susceptible to Compromise (Unclassified and Redacted) OIG-06-58 (PDF, 48 pages), released October 2, 2006.

Press release: "On September 22, 2006, the President signed the United States' instrument of ratification for the Council of Europe Convention on Cybercrime. Today, the United States became a party to the Convention upon deposit of the instrument of ratification at the headquarters of the Council of Europe in Strasbourg, France. The Convention will enter into force for the United States on January 1, 2007. The Convention entered into force on July 1, 2004. As of September 27, 2006, there were 43 Signatories and 15 Parties to the Convention."

Press release: "Congressman Barney Frank yesterday wrote to the Chairman of the Federal Trade Commission (FTC) and representatives of the credit reporting industry asking that they look into the numerous complaints from consumers about access to credit reports and fraud alerts." [text of letter is included in this release]

"A survey of internet leaders, activists, and analysts shows that a majority agree with predictions that by 2020 [Link to The Future of the Internet II (115 pages, PDF)]:

Department of Defense Office of the Inspector General -- Audit Summary of Information Assurance Weaknesses Found in Audit Reports Issued from August 1, 2005, through July 31, 2006 - Report No. D-2006-110 (PDF) - Date: September 14, 2006.

Press release: "The U.S. Department of Homeland Security (DHS) announced today the release of the Cyber Storm Public Exercise Report. The report details key findings from Cyber Storm which was the largest and most complex multi-national, government-led cyber exercise to examine response, coordination, and recovery mechanisms to a simulated cyber event within international, federal, state, and local governments and in conjunction with the private sector."

FTC press release: "An operation that placed spyware on consumers' computers in violation of federal laws will give up more than $2 million to settle Federal Trade Commission charges. Under a stipulated final judgment and order, the defendants are permanently prohibited from interfering with a consumer's computer use, including but not limited to distributing software code that tracks consumers' Internet activity or collects other personal information, changes their preferred homepage or other browser settings, inserts new advertising toolbars or other frames onto their browsers, installs dialer programs, inserts advertising hyperlinks into third-party Web pages, or installs other advertising software code, file, or content on consumers' computers."

SEARCH, The National Consortium for Justice Information and Statistics - Collecting Evidence from a Running Computer: A Technical and Legal Primer for the Justice Community, August 2006.

Press release: Carnegie Mellon CyLab researchers create new system to address phishing fraud [ZDNet]

From the Antiphishing Working Group, the June Phishing Activity Trends Report.

Bureau of Justice Statistics, Prosecutors in State Courts, 2005: "Presents findings from the 2005 National Survey of Prosecutors, the latest in a series of data collections about the Nation's 2,300 State court prosecutors’ offices that tried felony cases in State courts of general jurisdiction. This study provides information on the number of staff, annual budget, and felony cases closed for each office. Information is also available on the use of DNA evidence, computer-related crimes, and terrorism cases prosecuted. Other survey data include special categories of felony offenses prosecuted, types of non-felony cases handled, number of felony convictions, number of juvenile cases proceeded against in criminal court, and work-related threats or assaults against office staff."

Press release, August 14, 2006: "Washington State Attorney General Rob McKenna... announced the filing of Washington's second lawsuit under the state's computer spyware act. The state's suit accuses four California-based corporations of installing software that takes control of a consumer's computer by launching aggressive and persistent pop-ups that demand payment for a movie download service."

Ponemon Institute Releases National Survey on Confidential Data at Risk

Consumer Alert: New Phishing Attack Claims to be FDIC

Industry, Government Fret Over Tactics for Fighting Data Theft, by Marcia Coyle, The National Law Journal, August 10, 2006.

StopBadware.org Blog: "We're entering a new phase here at StopBadware.org. Google—which is one of our partners—will present people with a warning before they visit websites that have been reported to StopBadware.org as sites that distribute badware. These warnings currently link to a general page on StopBadware.org, but as we finish researching sites, we'll replace the general page with one of our individual website reports (see an example here). Hopefully this next step will bring us that much closer to fulfilling our mission of providing people with reliable, objective information about downloadable applications in order to help them make better choices."

Statement of Attorney General Alberto R. Gonzales on the Passage of the Cybercrime Convention, August 6, 2006: "The Cybercrime Convention - the first of its kind - will be a key tool for the United States in fighting global, information-age crime. This treaty provides important tools in the battles against terrorism, attacks on computer networks, and the sexual exploitation of children over the Internet, by strengthening U.S. cooperation with foreign countries in obtaining electronic evidence. The Convention is in full accord with all U.S. constitutional protections, such as free speech and other civil liberties, and will require no change to U.S. laws."

Special Report | Computer forensics: The new DNA

Press release: "Senator Olympia J. Snowe (R-ME), Chair of the Senate Committee on Small Business and Entrepreneurship, today introduced the "Small Business Information Security Act of 2006," (S. 3786) legislation that will create the "Small Business Information Security Task Force" within the Small Business Administration to help small businesses both understand the information security challenges they face and identify resources to help meet those challenges."

Into the Breach: Security Breaches and Identity Theft/Research Report
July 2006 — "Security breaches of data files can lead to identity theft. In this AARP Public Policy Institute Data Digest, Neal Walters analyzes 244 breaches between January 1, 2005 and May 26, 2006, and finds that 40 percent were caused by hackers or insider access targeting sensitive personal information, potentially exposing 50 million individuals’ names and personal data."

GSA press release: "The U.S. General Services Administration’s (GSA) Office of Citizens Services & Communications is warning the public to avoid falling victim to a recent e-mail scheme that targets users by sending unsolicited e-mails allegedly from FirstGov, the citizen portal operated by GSA. These scam e-mails tell recipients that because of recent fraudulent activities on Money Access Online they need to confirm their account has not been stolen or hacked. The e-mails then direct recipients to click on a link and enter information related to personal credit card accounts."

EPIC: "A data breach notification bill [H.R. 3997] backed by the House Financial Services Committee drew criticisms from state law enforcement officials and a coalition of consumer groups, who said that existing state laws are more effective at protecting consumers. In a letter to House leadership signed by 48 state attorneys general, the National Association of Attorneys General stated that an effective data breach law should preserve strong consumer protections and allow states to enforce data breach laws. Consumer groups said that the Financial Data Protection Act "does nothing positive for consumers and rolls back existing state consumer protection laws."

Improved Administration Can Enhance Science and Technology Laptop Computer Security (Redacted), OIG-06-42 (PDF, 36 Pages), July 27, 2006.

Press release: "According to MarkMonitor's AntiFraud Operations Center™ (AFOC), domain-based phishing attacks now represent 73 percent of all attacks, up from 35 percent just 18 months ago." Related reference in this press release to an academic paper titled, Why Phishing Works.

The Subcommittee on Financial Institutions and Consumer Credit, chaired by Rep. Spencer Bachus (AL), held a hearing today entitled "ICANN and the Whois Database: Providing Access to Protect Consumers from Phishing." Government officials contend that access to Whois data is essential in the effort to combat cybercrimes, while privacy advocates maintain that access to data on domain name holders facilitates phishing, spam and other types of fraud.

Press release: The Computer Security Institute (CSI) with the participation of the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad today released its 2006 report citing that virus attacks are the leading cause of financial losses. The top four categories -- virus attacks, unauthorized access to networks, lost/stolen laptops or mobile hardware and theft of proprietary information or intellectual property -- according to the 2006 Computer Crime and Security Survey, account for more than 74 percent of financial loss."

AP: "Computer break-ins at the State Department that caused broad disruptions in recent weeks apparently originated in the East Asia-Pacific region, a department spokesman said Wednesday."

Review of Issues Related to the Loss of VA Information Involving the Identity of Millions of Veterans, Rpt. #06-02238-163, July 11, 2006 (78 pages, PDF)

Risky Business? How Multinationals' Outsourcing Involving Customer Data Can Lead to Identity Theft and Other Fraud, by Anita Ramasastry.

In the wake of the steady stream of news (the latest at this time is here) about stolen laptops and data breaches impacting state and federal government agencies and personnel, as well as corporations large and small, this AP article raises an important question: "...Why is so much private data allowed to be on laptops to begin with?"

Press release: "CA today announced a new security survey of 642 large North American organizations which shows that more than 84% experienced a security incident over the past 12 months and that the number of breaches continues to rise. According to the findings, security breaches have increased 17% since 2003. As a result, 54% of organizations reported lost workforce productivity; 25% reported public embarrassment, loss of trust/confidence and damage to reputation; and 20% reported losses in revenue, customers or other tangible assets. Of the organizations which experienced a security breach, 38% suffered an internal breach of security."

From the Privacy Rights Clearinghouse, A Chronology of Data Breaches Reported Since the ChoicePoint Incident, updated June 30, 2006. Breaches reported in June 2006 include the Nebraska Treasurer's Office and the Minnesota Dept. of Revenue.

Hearings were held June 27 and June 28, 2006 by the Subcommittee on Oversight and Investigations of the Committee on Energy and Commerce, on Making the Internet Safe for Kids: The Role of ISP's and Social Networking Sites.

Related government news and documents:

Press release: "CDT's report charts the important cases against spyware distributors and identifies the statutes applied, June 26, 2006."

WSJ free feature: Laptop Lockdown - Companies Start Holding Employees Responsible for Security Of Portable Devices They Use for Work

Press release: "Sen. Bob Bennett (R-Utah) and Sen. Tom Carper (D-DE), members of the Senate Banking Committee, today introduced legislation to help protect individuals and businesses from the rampant crimes of identity theft and account fraud...The new bill requires that all entities – such as financial institutions, universities, retailers and federal agencies –safeguard sensitive information, investigate security breaches and notify consumers when there’s a substantial risk of identity theft or account fraud. That means retailers that take credit card information are now covered; data brokers who compile private information are covered; and government agencies that possess nonpublic personal information are also covered."

The Consumer Privacy Legislative Forum (whose members include Google, Microsoft, Oracle, EBay Inc., Hewlett-Packard Co., Intel Corp., Sun Microsystems Inc. and Symantec Corp.) issued a statement supporting "a serious process to consider comprehensive harmonized federal privacy legislation to create a simplified, uniform but flexible legal framework."

Following up on previous postings on the VA data breach, today the GAO issued yet another related report - Information Security: Leadership Needed to Address Weaknesses and Privacy Issues at Veterans Affairs, Full text GAO-06-897T, and Highlights, June 20, 2006.

Yet another report today about the theft of a laptop from the home of a government employee, this time involving info on D.C. government personnel. The issue of why so many institutions have not implemented proper security measures, such as encryption on digital media removed from the office, remains baffling.

News.com: "Cybercrooks are organizing better and moving to more sophisticated tactics to get their hands on confidential data and turn PCs of unwitting users into bots, representatives from the U.S. Department of Justice and the U.S. Air Force Office of Special Investigations said in separate presentations here at the Computer Security Institute's NetSec event this week."

Follow-up to recent postings VA ID theft and the continuous reports on government and corporate enterprise data breaches, see this Gartner press release: Gartner Says Rash of Personal Data Thefts Shows Social Security Numbers Can No Longer Be Sole Proof of Identity for Enterprises.

Related to previous postings on the recent breach of Veterans' data that was the focus of press and Congressional scrutiny, from GAO today, this report - Veterans Affairs: Leadership Needed to Address Information Security Weaknesses and Privacy Issues, full-text GAO-06-866T, and Highlights, June 14, 2006. From the report: "For many years, significant concerns have been raised about VA's information security--particularly its lack of a robust information security program, which is vital to avoiding the compromise of government information, including sensitive personal information. Both GAO and the department's inspector general have reported recurring weaknesses in such areas as access controls, physical security, and segregation of incompatible duties."

Related government documents:

WSJ free feature: Seeking a Safer Internet - New Tools Flag Sites With Spyware, Spam - But the Technology Is Far From Perfect

Press release, June 9, 2006: "Governor George E. Pataki today signed three bills [Security Freeze Law, Disposal of Personal Records Law, Anti-Phishing Act of 2006] that will further protect New York's consumers and their privacy. These bills will allow consumers to proactively defend themselves against identity thieves, require businesses to properly discard documents and records containing personal information, and prohibit individuals from deceptively soliciting sensitive information from Internet users. They will also help prohibit the potential repercussions that many identity theft victims encounter, including the denial of loan applications, false arrest, and criminal records."

Hearing, Cyber Security Challenges at the Department of Energy, June 9, 2006. [note: links to member statements and witness testimony not yet available - after an open session, there was a closed session to discuss security issues related to a previously unreported data breach.]

Government Reform Committee Oversight Hearing, "Once More Into the Data Breach: The Security of Personal Information at Federal Agencies," June 8, 2006. "The data loss at VA is the largest by a federal agency to date, and the latest in a long string of personal information breaches in the public and private sectors, including financial institutions, data broker companies, and academic institutions."

Indiana House House Bill 1101 (HB 1101) which takes effect July 1, will "require disclosure of security breaches and encryption of data by companies holding customers' and clients' personal identification information in computer databases if it could cause identity theft, identity deception, or fraud."

Follow-up to postings on breach of veterans data, this press release from Sen. Patrick Leahy comments on the announcement that "the Social Security numbers and other personal information for as many as 2.2 million U.S. military personnel – including nearly 80 percent of our active-duty force -- were among the data the VA has lost."

Press release, May 31, 2006: "Gov. Lynch today signed Senate Bill 334, which will allows victims of identity theft to ask their credit reporting agency for a "credit freeze." Once they do, their credit reports cannot be forwarded without their consent or involvement, which will help prevent identity thieves from using people's good credit against them. A credit freeze will also prevent criminals from being able to open new lines of credit in their victims' names...The law goes into effect on Jan. 1, 2007."

Another follow-up to postings and resources for veterans impacted by recent data breach: "The FTC is advising veterans and their families to keep a close hold on their credit card numbers, bank account information, Social Security numbers, passwords, and other sensitive personal information. One technique scammers use to get this information is phishing: they send an e-mail that appears to be from a well-known company, asking recipients to verify their personal information and luring them to a Web site that looks genuine, but is bogus. Scammers can lie on the telephone, as well, to get personal information." [Link]

Follow-up to postings and resources for veterans impacted by recent data breach, this press release (includes text of letter to HHS): "Thirty organizations participating in the Consumer Coalition for Health Privacy yesterday asked U.S. Department of Health and Human Services Secretary Mike Leavitt to undertake a compliance review of the U.S. Department of Veterans Affairs pursuant to the authority granted him by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Medical diagnostic codes and disability rating information about an undisclosed number of disabled veterans were stolen last month from the home of a VA employee along with 26.5 million veterans' names, birth dates and Social Security numbers."

Press release: "A new cyber security study released today highlights the difference between perception and reality of consumers' awareness of online scams and their actual online behavior. While 87 percent of consumers polled said they were confident they could recognize fraudulent e-mails, 61 percent failed to identify a legitimate e-mail. Most respondents categorized all e-mails in the study as fake, even though one of them was legitimate. The Online Fraud Report has been sponsored by the National Cyber Security Alliance (NCSA), a central clearinghouse for cyber security awareness and education for home users, small businesses and the education community, and Bank of America."

According to the New York Times, Arizona's rapid population growth combined with a "heavy traffic in methamphetamine" are signficant factors in the state's ranking at the top of the list for ID theft complaints recorded by the FTC.

"In recognition of National Internet Safety Month (June 2006), National Criminal Justice Reference Service presents this compilation of Internet safety resources."

Follow-up to the latest extensive incident of ID theft involving government records and citizen personal data, see this OMB Memoranda M-06-15, Safeguarding Personally Identifiable Information, May 22, 2006.

Related government documents and news:

Refereed technical papers from 11 research areas are available from the WWW2006 Conference, May 23-26, 2006. Topic areas include: business success, next wave, education and science, security and health.

NIST's National Vulnerability Database: Search for Vulnerabilities - Enter vendor, software, or keyword.

Follow-up to posting yesterday, Theft of Data on Over 25 Million Veterans Renews Calls for Greater Security, this news from the government today: "Over the weekend following the recent theft of 26.5 million veterans' records, the Department of Veterans Affairs (VA) quickly put in place a call center and website to answer questions about the implications of the theft and the steps veterans can take to protect themselves from misuse of their personal information. The call center, at 1-800-FEDINFO, operates from 8:00 a.m. to 9:00 p.m. (EDT) Monday to Saturday. It can handle up to 260,000 toll-free calls a day. The latest information on VA data security is posted on Firstgov.gov, the U.S. government's official Web portal."

Related news and government documents:

Statement of Secretary of Veterans Affairs R. James Nicholson on the Status of the Veterans Data Theft (5/24/06): "I am outraged at the loss of this veterans' data and the fact an employee would put it at risk by taking it home in violation of our policies. I am also concerned about the timing of the Department's response once the burglary became known. I will not tolerate inaction and poor judgment when it comes to protecting our veterans."

5-11-06: Three-level security flaws found in Diebold touch-screens. Critical Security Alert: Diebold TSx and TS6 voting systems by Harri Hursti, for Black Box Voting, Inc. (12 pages, PDF)

Cybersecurity Enhancement and Consumer Data Protection Act of 2006 (H.R. 5318), To amend title 18, United States Code, to better assure cyber-security, and for other purposes, introduced 5/9/2006, by Rep. James F. Sensenbrenner Jr.

Solove, Daniel J. and Hoofnagle, Chris Jay, A Model Regime of Privacy Protection (Version 3.0). Illinois Law Review, Vol. 2006, p. 357, 2006.

FTC press release: "The Federal Trade Commission today told the Subcommittee on Commerce, Trade, and Consumer Protection of the House Committee on Energy and Commerce Committee that in the effort to reconcile the beneficial uses of Social Security Numbers with the threats to consumer privacy, "The challenge is to find the proper balance between the need to keep SSNs out of the hands of identity thieves, while giving businesses and government entities sufficient means to attribute information to the correct person."

Fact Sheet: The President's Identity Theft Task Force: "This task force will marshal the resources of the Federal government to crack down on the criminals who traffic in stolen identities and protect American families from this devastating crime."

"The Committee on Energy and Commerce, to whom was referred the bill (H.R. 4127) to protect consumers by requiring reasonable security policies and procedures to protect computerized data containing personal information, and to provide for nationwide notice in the event of a security breach, having considered the same, report favorably thereon with an amendment and recommend that the bill as amended do pass." [House Report 109-453 - Part 1 - Data Accountability and Trust Act (DATA), Ordered to be printed May 6, 2006]

FTC press release: "A title company that promised consumers it maintained "physical, electronic and procedural safeguards" to protect their confidential financial information, but tossed consumer home loan applications in an open dumpster, agreed to settle Federal Trade Commission charges that its inadequate storage and disposal procedures for sensitive consumer information violated federal laws. The settlement with Nations Title Agency, Inc., Nations Holding Company, and Christopher M. Likens bars deceptive claims about privacy and security policies, and requires that they implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years."

The RFID Hacking Underground, by Annalee Newitz: "They can steal your smartcard, lift your passport, jack your car, even clone the chip in your arm. And you won't feel a thing. 5 tales from the RFID-hacking underground."

Preventing Identity Theft and Data Security Breaches: The Problem With Regulation, by Clyde Wayne Crews and Brooke Oberwetter, Competitive Enterprise Institute, May 9, 2006 (24 pages, PDF)

Building and Implmenting a Successful Information Security Policy, by John J. Pak, May 8, 2006 (25 pages, PDF).

2005 IC3 Annual Report (27 pages, PDF)

Cyber Security Industry Alliance Board Urges Congressional Leadership on Consumer Data Protection: Letter to Congressional Leadership

CSO Fundamentals: The ABCs of Phishing and Pharming

"The Software & Information Industry Association's Anti-Piracy Division conducts a comprehensive, industry-wide campaign to fight software and content piracy. The pro-active campaign is premised on the notion that one must balance enforcement with education in order to be effective."

Personal Information: Agencies and Resellers Vary in Providing Privacy Protections, Full-text GAO-06-609T, April 4, 2006. Highlights.

Press release: The Anti-Spyware Coalition today released two new resources to help consumers and enterprises better protect themselves against spyware and unwanted adware...The coalition's two new documents walk consumers and network operators through the steps they should be taking to protect their machines against adware, spyware and other malicious software."

Press release: "An estimated 3.6 million households, or about 3 percent of all households in the nation, learned that they had been the victim of at least one type of identity theft during a six-month period in 2004, the Justice Department’s Bureau of Justice Statistics (BJS) announced today. Forty-eight percent had experienced an unauthorized use of credit cards; 25 percent had other accounts, such as banking accounts, used without permission; 15 percent experienced the misuse of personal information and 12 percent experienced multiple types of theft at the same time. These findings represent six-month estimates based on interviews conducted from July through December 2004 for the BJS National Crime Victimization Survey."

Press release: "Federal Trade Commission Chairman Deborah Platt Majoras today issued the agency's 2006 Annual Report at the American Bar Association’s Section of Antitrust Law Spring Meeting in Washington, DC. The report, entitled "The FTC in 2006: Committed to Consumers and Competition," (62 pages, PDF) is available now on the Commission's Web site and includes sections on the FTC's competition and consumer protection missions and recent accomplishments, as well as a summary of the policy tools it uses to complement its array of law enforcement and international outreach and coordination efforts."

Social Security Numbers: More Could be Done to Protect SSNs, Full text GAO-06-586T, and Highlights. March 30, 2006.

"The Better Business Bureau (BBB) has partnered with nationally-recognized security and privacy experts to create a new toolkit to help small business owners manage security and privacy challenges. We call it Security & Privacy - Made Simpler (TM). The objective is to demystify the complexities of data security and give small businesses a non-technical roadmap to securing their customer data, and their employees' data, too."

"PhishRegistry.org is a free service provided by CipherTrust, Inc. to help businesses know when they are at risk of being phished. PhishRegistry.org monitors the content of your website and alerts you when attempts to duplicate it have been detected. Weekly reports are sent to your email address with information about suspect websites."

Privacy Rights Clearinghouse, Updated March 23, 2006: A Chronology of Data Breaches Reported Since the ChoicePoint Incident

"Thousands of visitors to StopBadware.org have shared their badware experiences with us since we launched. From their stories, we've identified and tested four applications that contain annoying or objectionable behaviors. To find out what we think of Kazaa, MediaPipe, SpyAxe, and Screensaver.com, read our reports (all in PDF):"

Information Security: Department of Health and Human Services Needs to Fully Implement Its Program, Full Report, GAO-06-267 and Highlights, February 24, 2006.

OIG-Identified Management and Performance Challenges Facing the FDIC (2005)

Press release: "Neil Holloway, president of Microsoft Europe, Middle East and Africa (EMEA), unveiled a global law enforcement campaign that will target cybercriminals behind phishing attacks. Microsoft Corp. announced that by the end of June 2006 it will have initiated legal actions on more than 100 cases in EMEA against individuals suspected of committing online fraud; 53 of these will have already started by the end of March 2006...The legal actions are linked to a larger Microsoft(R) program, the Global Phishing Enforcement Initiative (GPEI), launched by the company to coordinate and expand its many anti-phishing efforts worldwide to fight phishers through consumer protection, partnerships and prosecution."

Press release, March 16, 2006: The Federal Trade Commission today told the House Committee on Small Business, Subcommittee on Regulatory Reform and Oversight that protecting consumers' privacy rights is a top priority for the agency. Lydia Parnes, Director of the FTC's Bureau of Consumer Protection, told the Committee, "The Commission is committed to aggressive law enforcement, vigorous consumer and business education efforts, and global cooperation to safeguard the security of consumers’ personal information." To date, the agency has brought 12 data security cases, six spyware and adware cases, more than a dozen financial pretexting cases, and more than 80 spam cases.

U.S. Newswire: "The House Financial Services Committee voted today to repeal strict state notification and credit freeze laws that have helped to protect consumers from identity theft and financial fraud. These laws provide essential protections that allow consumers to prevent identity thieves from opening credit accounts in their names and require companies to inform consumers when their personal data -- such as their Social Security and credit card numbers -- have become compromised."

Press release: "Consumer confidence in conducting business and protecting personal data online is threatened every day by phishing scams. In an initiative led by the National Consumers League (NCL), law enforcement, financial services and technical industries have joined forces to combat this threat. The group today issued a "call to action" with the release of a paper outlining key recommendations that form a comprehensive plan for combating phishing more effectively."

Government Reform Committee Oversight Hearing: No Computer System Left Behind: A Review of the 2005 Federal Computer Security Scorecards, March 16, 2006.

Press release: "Attorney General Eliot Spitzer today announced a settlement to address what may have been the largest breach of privacy in internet history. The settlement with Datran Media, a leading e-mail marketer, follows an investigation that identified the improper disclosure of the personal information of more than six million American consumers."

From Viviane Reding, Member of the European Commission responsible for Information Society and Media, "Safety on the Net" (7 pages, PDF), (09/02/06).

Symantec Internet Security Threat Report, Volume IX: March 2006 Highlights.

Press release: "Citing the need to safeguard the personal information of Minnesotans, Governor Pawlenty today announced a series of proposals that will protect personal privacy and improve the way state government handles personal data...In 2005, more than 3,000 Minnesotans became the victims of identity theft according to the Federal Trade Commission.

NPR: Identity Theft - Protecting Your Good Name, February 27, 2006. (17 pages, PDF)

New York Times: Cyberthieves Silently Copy Your Passwords as You Type

FTC press release: "In the largest known compromise of financial data to date, CardSystems Solutions, Inc. and its successor, Solidus Networks, Inc., doing business as Pay By Touch Solutions, have agreed to settle Federal Trade Commission charges that CardSystems' failure to take appropriate security measures to protect the sensitive information of tens of millions of consumers was an unfair practice that violated federal law. According to the FTC, the security breach resulted in millions of dollars in fraudulent purchases. The settlement will require CardSystems and Pay By Touch to implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years."

Related documents:

New York Times: Too Many New Gadgets, Too Much Information at Risk: Loss, theft and viruses are major issues as corporate use of handheld devices and pocket PCs increases. Pre-emptive security options are available however, as this article describes.

Managing Cybersecurity Resources: A Cost-Benefit Analysis "details guidelines for using sound and measurable principles of cost-benefit analysis, as a compliment to gut instinct, to efficiently allocate and manage cybersecurity resources within your organization. Written by two globally acknowledged leaders in the increasingly critical area of cybersecurity (Lawrence A. Gordon and Martin P. Loeb), this comprehensive exploration presents:

Responding to Security Incidents on a Large Academic Network: by Jamie Riden 02/14/06 (9 pages, PDF). "This paper describes a series of security incidents on a large academic network, and the gradual evolution of measures to deal with emerging threats."

Follow-up to House Cmte. Seeks Operations Docs. from Websites Selling Cell Phone Records, "House Energy and Commerce Committee investigators have identified people behind 22 Web pages that may offer criminals, stalkers and any other paying customer the detailed records of a person's private telephone calls."

"The goal of National Computer Security Survey (NCSS) is to produce reliable national and industry-level estimates of the prevalence of computer security incidents (such as denial of service attacks, fraud, or theft of information) against businesses and the resulting losses incurred by businesses. The first national survey of thousands of businesses is being conducted in 2006. Sponsors: U.S. Department of Justice, Bureau of Justice Statistics and the U.S. Department of Homeland Security, National Cyber Security Division (NCSD)."

Related government documents:

Data Security: Federal and State Laws, February 03, 2006

UK Home Office: Updated Estimate of the of the Cost of Identity Fraud to the UK Economy, 2 February 2006 (4 pages, PDF).

The new StopBadware.org website, sponsored by the Berkman Center, the Oxford Internet Institute, with assistance from Consumer Reports WebWatch, ..."will seek to provide reliable, objective information about downloadable applications in order to help consumers to make better choices about what they download on to their computers. We aim to become a central clearinghouse for research on badware and the bad actors who spread it, and to become a focal point for developing collaborative, community-minded approaches to stopping badware."

Identity Theft Again Leads the List: "The Federal Trade Commission...released its annual report (77 pages, PDF) detailing consumer complaints about fraud and identity theft in 2005. Complaints about identity theft topped the list, accounting for 255,000 of more than 686,000 complaints filed with the agency in 2005. The complaints, filed online or at a toll-free number, are shared via a secure database with more than 1,400 federal, state, and local law enforcement agencies, and law enforcement and consumer protection agencies in Canada and Australia."

FTC press release: "Consumer data broker ChoicePoint, Inc., which last year acknowledged that the personal financial records of more than 163,000 consumers in its database had been compromised, will pay $10 million in civil penalties and $5 million in consumer redress to settle Federal Trade Commission charges that its security and record-handling procedures violated consumers' privacy rights and federal laws. The settlement requires ChoicePoint to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to est