Cybercrime
February 04, 2010
* FTC Testifies About Stepped-Up Efforts to Protect Consumers Affected by the Economic Downturn

News release: "The Federal Trade Commission today told the U.S. Senate Committee on Commerce, Science and Transportation that the agency has stepped up efforts to protect consumers affected by the economic downtown, and that additional authority would make the agency even more effective. The testimony presented by FTC Chairman Jon Leibowitz described the agency’s efforts to prosecute financial fraud and deception, including working with states to bring hundreds of cases against mortgage relief scams in 2009. The testimony also discussed the FTC’s rulemaking and consumer education initiatives, how additional authority will enhance the agency’s effectiveness, and the FTC’s perspective on recent proposals to create a consumer financial protection agency as part of a broader reform of the financial services regulatory system."

  • Related postings on financial system
  • February 02, 2010
    * Annual Threat Assessment of the US Intelligence Community for the Senate Select Committee on Intelligence

    Annual Threat Assessment of the US Intelligence Community for the Senate Select Committee on Intelligence, Dennis C. Blair, Director of National Intelligence, February 2, 2010

  • "The national security of the United States, our economic prosperity, and the daily functioning of our government are dependent on a dynamic public and private information infrastructure, which includes telecommunications, computer networks and systems, and the information residing within. This critical infrastructure is severely threatened. This cyber domain is exponentially expanding our ability to create and share knowledge, but it is also enabling those who would steal, corrupt, harm or destroy the public and private assets vital to our national interests. The recent intrusions reported by Google are a stark reminder of the importance of these cyber assets, and a wake-up call to those who have not taken this problem seriously. Companies who promptly report cyber intrusions to government authorities greatly help us to understand and address the range of cyber threats that face us all. I am here today to stress that, acting independently, neither the US Government nor the private sector can fully control or protect the country’s information infrastructure. Yet, with increased national attention and investment in cyber security initiatives, I am confident the United States can implement measures to mitigate this negative situation."
  • * Phishing Activity Trends Report, 3rd Quarter / 2009

    The quarterly APWG (AntiPhishing Working Group) Phishing Activity Trends Report analyzes phishing attacks reported to the APWG by its member companies, its Global Research Partners, through the organization’s website and by email submissions. APWG also measures the evolution, proliferation and propagation of crimeware drawing from the research of our member companies. In the last half of this report you will find tabulations of crimeware statistics and related analyses."

    January 31, 2010
    * Information Society Statistical Profiles 2009: Arab States

    News release: Arab States define key ICT development priorities Broadband, digital broadcasting, open source software, Arab digital content and cybersecurity are main objectives. "The Arab States Regional Preparatory Meeting (RPM) for the International Telecommunications Union (ITU) World Telecommunication Development Conference 2010 (WTDC-10) concluded on Tuesday, 19 January in Damascus, Syrian Arab Republic, with delegates reaching consensus on regional strategies to foster the development of information and communication technologies (ICTs)."

    • Information Society Statistical Profiles 2009: Arab States - "Over the past decade, the Arab States region has made significant progress when it comes to ICT access and use. In the mobile market, a number of national operators have expanded their services to customers across and beyond the region. Mobile telephony has grown at an annual rate of 55 per cent, reaching a penetration level of 63 per cent at the end of 2008. There are now 16 Internet users per 100 inhabitants, compared to only 4 in 2003. Nevertheless, compared to other regions, Internet usage, and particular broadband access, is still rather limited and out of the reach of most people in the region, in particular those living in rural areas."
    • See also Presentation, Information Society Statistical Profiles 2009 Arab States, Damascus, Syria, 17-19 January 2010

    * McAfee, Inc. Report Reveals Critical Infrastructure Under Constant Cyberattack Causing Widespread Damage

    News release: "McAfee, Inc. revealed [at the World Economic Forum Annual Meeting 2010] the staggering cost and impact of cyberattacks on critical infrastructure such as electrical grids, oil and gas production, telecommunications and transportation networks. A survey of 600 IT security executives from critical infrastructure enterprises worldwide showed that more than half (54%) have already suffered large scale attacks or stealthy infiltrations from organized crime gangs, terrorists or nation-states. The average estimated cost of downtime associated with a major incident is $6.3 million per day. The report, In the Crossfire: Critical Infrastructure in the Age of Cyberwar, commissioned by McAfee and authored by the Center for Strategic and International Studies (CSIS), also found that the risk of cyberattack is rising. Despite a growing body of legislation and regulation, more than a third of IT executives (37%) said the vulnerability of their sector had increased over the past 12 months and two-fifths expect a major security incident in their sector within the next year. Only 20% think their sector is safe from serious cyberattack over the next five years."

    January 29, 2010
    * Navy Establishes U.S. Fleet Cyber Command at Fort Meade, MD

    OPNAV NOTICE 5400, January 11, 2010: "Action will establish U. S. Fleet Cyber Command as an echelon II command to serve as the Navy Component Commander to United States Cyber Command upon its establishment. Interim reporting will be to United States Strategic Command. Command will provide for operational employment of the Navy's cyber, network operations, information operations, cryptologic and space forces, and serve as the Navy's Service Cryptologic Component Commander to the National Security Agency. U.S. Tenth Fleet. will be re-commissioned to control operations supporting U. S. Fleet Cyber Command.

  • Mission: To direct Navy cyberspace operations globally to deter and defeat aqgression and to ensure freedom of action achieve military objectives in and through cyberspace; to organize and direct Navy cryptologic operations worldwide and support information operations (IO) and space planning and operations, as directed; to execute cyber missions as directed by USCYBERCOM; to direct, operate, maintain, secure and defend the Navy's portion of the Global Information Grid (GIG); to deliver integrated cyber, 10, cryptologic and space capabilities; to deliver global Navy cyber network common operational picture; and to develop, coordinate and assess Navy cyber operational requirements."
  • January 27, 2010
    * Investigative Report - US oil industry hit by cyberattacks

    Christian Science Monitor: "At least three US oil companies were the target of a series of previously undisclosed cyberattacks that may have originated in China and that experts say highlight a new level of sophistication in the growing global war of Internet espionage. The oil and gas industry breaches, the mere existence of which has been a closely guarded secret of oil companies and federal authorities, were focused on one of the crown jewels of the industry: valuable “bid data” detailing the quantity, value, and location of oil discoveries worldwide, sources familiar with the attacks say and documents obtained by the Monitor show. The companies – Marathon Oil, ExxonMobil, and ConocoPhillips – didn’t realize the full extent of the attacks, which occurred in 2008, until the FBI alerted them that year and in early 2009. Federal officials told the companies proprietary information had been flowing out, including to computers overseas, a source familiar with the attacks says and documents show. The data included e-mail passwords, messages, and other information tied to executives with access to proprietary exploration and discovery information, the source says."

  • See also, Remarks on Internet Freedom, Hillary Rodham Clinton, Secretary of State, January 21, 2010: "States, terrorists, and those who would act as their proxies must know that the United States will protect our networks. Those who disrupt the free flow of information in our society or any other pose a threat to our economy, our government, and our civil society. Countries or individuals that engage in cyber attacks should face consequences and international condemnation. In an internet-connected world, an attack on one nation’s networks can be an attack on all. And by reinforcing that message, we can create norms of behavior among states and encourage respect for the global networked commons."
  • January 26, 2010
    * Ponemon 2009 Annual Study: Cost of a Data Breach

    "This 2009 Ponemon Institute 2009 Annual Study: Cost of a Data Breach - Understanding Financial Impact, Customer Turnover, and Preventive Solutions examines the costs incurred by 45 organizations after experiencing a data breach. Results were not hypothetical responses; they represent the cost estimates of activities resulting from the actual data loss incidents. This is the fifth annual survey of this issues. Breaches included in the survey included ranged from approximately 5,000 records to more than 101,000 records from 15 different industry sectors."

    January 19, 2010
    * Global Risks 2010 A Global Risk Network Report

    Global Risks 2010 - A Global Risk Network Report. A World Economic Forum Report in collaboration with Citi, Marsh & McLennan Companies (MMC), Swiss Re, Wharton School Risk Center, Zurich Financial Services. January 2010.

  • "This year’s report explores a set of risks that share a potential for wider systemic impact and are strongly linked to a number of significant, long-term trends. First, there are those which feature highly on the Global Risks Landscape and which predated the recession but have been exacerbated by its impact through greater resources constraints or short-term thinking. These include:
    • Fiscal crises and the social and political implications of high unemployment
    • Underinvestment in infrastructure, both new and existing, and its consequences for growth, resource scarcity and climate change adaptation
    • Chronic diseases and their impact on both advanced economies and developing countries....other risks include: transnational crime and corruption; biodiversity loss; and cyber-vulnerability."
    • Related postings on financial system
  • January 12, 2010
    * Google Announces "A new approach to China"

    Official Google Blog:

  • "In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident--albeit a significant one--was something quite different...We launched Google.cn in January 2006 in the belief that the benefits of increased access to information for people in China and a more open Internet outweighed our discomfort in agreeing to censor some results. At the time we made clear that "we will carefully monitor conditions in China, including new laws and other restrictions on our services. If we determine that we are unable to achieve the objectives outlined we will not hesitate to reconsider our approach to China." These attacks and the surveillance they have uncovered--combined with the attempts over the past year to further limit free speech on the web--have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China."
  • January 11, 2010
    * Panda Security Publishes Virus Yearbook 2009

    Annual Report PandaLabs 2009

  • "The last 12 months really have marked a turning point in the history of IT security. This has been for several reasons, yet without doubt the main one has been the way in which criminal organizations have consolidated underground business models. In 2009, hackers have made more money than in any previous year, underlined not least by the total number of new and different malware samples received by PandaLabs throughout the year, exceeding by far the forecasts we made in 2008. At time of writing, there are over 40 million malware samples in our Collective Intelligence system, and we are still receiving an average of 55,000 new samples every day. This trend, which began in 2008 and has been consolidated in 2009, will continue to determine the daytoday activity of anti-malware laboratories during 2010...In this report we will take a look at how malware is evolving worldwide and we will try to analyze the main trends of 2010. Without revealing too much, let’s just say the future doesn’t look too bright."
  • January 05, 2010
    * McAfee Labs Predicts Facebook, Twitter Will Be Platforms of Choice for Emerging Threats

    News release: "McAfee Inc. unveiled its 2010 Threat Predictions report. McAfee Labs believes cybercriminals will target social networking sites and third-party applications, use more complex Trojans and botnets to build and execute attacks, and take advantage of HTML 5 to create emerging threats. McAfee Labs also predicts 2010 will be a good year for law enforcement’s fight against cybercrime...Facebook, Twitter, and third-party applications on these sites are rapidly changing the criminal toolkit, giving cybercriminals new technologies to work with and hot spots of activity that can be exploited. Users will become more vulnerable to attacks that blindly distribute rogue apps across their networks, and cybercriminals will take advantage of friends trusting friends to get users to click on links they might otherwise treat cautiously. The use of abbreviated URLs on sites like Twitter make it even easier for cybercriminals to mask and direct users to malicious Web sites. McAfee Labs predicts that cybercriminals will increasingly use these tactics across the most popular social networking sites in 2010."

    January 03, 2010
    * Growth of Cloud Computing and Parallel Security Risks

    Security in the Ether - Information technology's next grand challenge will be to secure the cloud--and prove we can trust it. By David Talbot, Technology Review, January/February 2010 [Dan Mitchel]

  • "In 2006, when Amazon introduced the Elastic Compute Cloud (EC2), it was a watershed event in the quest to transform computing into a ubiquitous utility, like electricity. Suddenly, anyone could scroll through an online menu, whip out a credit card, and hire as much computational horsepower as necessary, paying for it at a fixed rate...Those systems would run on "virtual machines" that could be created and configured in an instant, disappearing just as fast when no longer needed. As their needs grew, clients could simply put more quarters into the meters. Amazon would take care of hassles like maintaining the data center and network. The virtual machines would, of course, run inside real ones: the thousands of humming, blinking servers clustered in Amazon's data centers around the world. The cloud computing service was efficient, cheap, and equally accessible to individuals, companies, research labs, and government agencies. But it also posed a potential threat. EC2 brought to the masses something once confined mainly to corporate IT systems: engineering in which Oz-like programs called hypervisors create and control virtual processors, networks, and disk drives, many of which may operate on the same physical servers."
  • Related postings on cloud computing
  • * Major International Hacker Pleads Guilty For Massive Attack On U.S. Retail And Banking Networks

    News release: "Albert Gonzalez, 28, of Miami, pleaded guilty today to conspiring to hack into computer networks supporting major American retail and financial organizations, and to steal data relating to tens of millions of credit and debit cards, announced Assistant Attorney General of the Criminal Division Lanny A. Breuer, U.S. Attorney for the District of New Jersey Paul J. Fishman, U.S. Attorney for the District of Massachusetts Carmen Milagros Ortiz and Director of the U.S. Secret Service Mark Sullivan. Gonzalez, aka “segvec,” “soupnazi” and “j4guar17,” pleaded guilty to two counts of conspiracy to gain unauthorized access to the payment card networks operated by, among others, Heartland Payment Systems, a New Jersey-based card processor; 7-Eleven, a Texas-based nationwide convenience store chain; and Hannaford Brothers Co. Inc., a Maine-based supermarket chain. The plea was entered in federal court in Boston before U.S. District Court Judge Douglas P. Woodlock. The case is one of the largest data breaches ever investigated and prosecuted in the United States."

    December 31, 2009
    * FTC, Partners Launch Consumer Protection Week Web Site, Blog

    News release: "The Federal Trade Commission has launched its Web site and blog for National Consumer Protection Week 2010, which will be held March 7-13. Consumer.gov/ncpw, encourages people to learn about their rights as consumers, and promotes free resources to help them protect their privacy, manage money and debt, avoid identity theft, understand credit and mortgages, and steer clear of frauds and scams. The twelfth annual consumer protection week is a partnership between the FTC and other government agencies and consumer groups. This year’s theme, Dollars & Sense: Rated “A” for All Ages, highlights the importance of using good consumer sense at every stage of life – from grade school to retirement. The site for the event features a page for kids and parents, and highlights games, videos, and other Web sites that teach kids practical lessons about the role of business and government in their everyday lives."

    * FTC Issues Staff Report on Agency's Fraud Forum

    News release: "The Federal Trade Commission today issued a Fraud Forum staff report that examines more effective ways to protect consumers from fraudulent schemes and focus the collective knowledge and experience of forum participants to fight fraud. The February 2009 Forum was attended by academics, consumer advocates, industry representatives, and state and federal law enforcers. The Fraud Forum Report summarizes information presented at the event during panel and small group discussions on a range of issues including: the psychology of scammers and their victims, fraud statistics, under-reported fraud, and the role of private industry in detecting and preventing fraud."

  • A Staff Report On The Federal Trade Commission’s Fraud Forum By The Commission’s Division of Marketing Practices (December 2009)
  • December 19, 2009
    * NIST: Draft Security Requirements for Cryptographic Modules

    DRAFT Security Requirements for Cryptographic Modules (Revised Draft): "The Revised Draft FIPS 140-3 is the second public draft of NIST’s proposed revision of FIPS 140-2. The Revised Draft was developed using the comments received on the first public draft, which was posted for public review and comment on July 13, 2007, and the FIPS 140-3 Software Security Workshop held on March 18, 2008. While the 2007 Draft proposed 5 levels of security, the Revised Draft FIPS 140-3 reverts to 4 levels of security as currently specified in FIPS 140-2. In contrast to the 2007 Draft, the Revised Draft also reintroduces the notion of firmware cryptographic module and defines the security requirements for it, limits the overall security level for software cryptographic modules to Security Level 2, and removes the formal model requirement at Security Level 4. Differences with the current FIPS 140-2 standard include limiting the overall security level for software cryptographic modules to Security Level 2, requirements for mitigation of non-invasive attacks at higher security levels, elimination of the requirement for formal modeling at Security Level 4, modified conditions for pre-operational/power-on self-tests, and strengthened integrity testing."

    December 18, 2009
    * Cybersafety Booklet for Parents and Kids Now Available

    News release: "A new booklet released today by the Federal Trade Commission and other government agencies helps parents and teachers steer kids safely through the online and mobile phone worlds. Net Cetera: Chatting with Kids About Being Online was unveiled...by FTC Chairman Jon Leibowitz, U.S. Secretary of Education Arne Duncan, and Federal Communications Commission Chairman Julius Genachowski."

    December 15, 2009
    * FTC Issues Report to Congress on Use of its Enhanced Authority Under the U.S. SAFE WEB Act

    News release: "The Federal Trade Commission has issued a report to Congress examining how the agency has used the expanded law enforcement authority Congress provided in the U.S. SAFE WEB Act to protect American consumers since the Act was signed into law on December 22, 2006. The SAFE WEB Act authorizes the FTC to share information and work cooperatively with foreign law enforcement agencies to protect consumers from cross-border harm."

  • The U.S. SAFE WEB Act: The First Three Years: A Federal Trade Commission Report to Congress (December 2009)
  • December 09, 2009
    * FTC Exploring Privacy Roundtable Series

    "The Federal Trade Commission [is hosting] a series of day-long public roundtable discussions to explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data. Such practices include social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The goal of the roundtables is to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation." Via EPIC, The second privacy roundtable will be held on Data Privacy Day - January 28, 2010 - at the University of California, Berkeley School of Law.

  • FTC Privacy Initiatives Website
  • December 06, 2009
    * Implementing the Obama Cyber Security Strategy via the ISA Social Contract Model

    Implementing the Obama Cyber Security Strategy via the ISA Social Contract Model: "The Internet Security Alliance (ISA) report aimed at taking the Obama Administration’s Cyberspace Policy Review document to the next level. The report emphasizes the need to focus on the economics of cyber security."

    November 03, 2009
    * Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities

    "The United States is increasingly dependent on information and information technology for both civilian and military purposes, as are many other nations. Although there is a substantial literature on the potential impact of a cyberattack on the societal infrastructure of the United States, little has been written about the use of cyberattack as an instrument of U.S. policy. Cyberattacks--actions intended to damage adversary computer systems or networks--can be used for a variety of military purposes. But they also have application to certain missions of the intelligence community, such as covert action. They may be useful for certain domestic law enforcement purposes, and some analysts believe that they might be useful for certain private sector entities who are themselves under cyberattack. This report considers all of these applications from an integrated perspective that ties together technology, policy, legal, and ethical issues. Focusing on the use of cyberattack as an instrument of U.S. national policy, Technology, Policy, Law and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities explores important characteristics of cyberattack. It describes the current international and domestic legal structure as it might apply to cyberattack, and considers analogies to other domains of conflict to develop relevant insights. Of special interest to the military, intelligence, law enforcement, and homeland security communities, this report is also an essential point of departure for nongovernmental researchers interested in this rarely discussed topic."

    October 31, 2009
    * Report - Lost Laptops: More Expensive Than You Think

    "New research quantifies the primary factors driving the cost of a lost or stolen laptop. Learn from Intel IT’s best practices."

  • "To better understand the range of potential outcomes, the Ponemon Institute compiled data on 138 instances of laptop loss or theft within a 12-month period by the employees, temporary employees, and subcontractors of a representative sample of U.S. businesses."
  • * Global Fraud Report Annual Edition 2009/2010

    Global Fraud Report Annual Edition 2009/2010

  • "Kroll commissioned The Economist Intelligence Unit to conduct a worldwide survey on fraud and its effect on business during 2009. A total of 729 senior executives took part in this survey. A little over a third of the respondents were based in North and South America, 25% in Asia-Pacific, just over a quarter in Europe and 11% in the Middle East and Africa. Ten industries were covered, with no fewer than 50 respondents drawn from each industry. The highest number of respondents came from the financial services industry (12%). A total of 46% of the companies polled had global annual revenues in excess of $1billion. This report brings together these survey results with the experience and expertise of Kroll and a selection of its affiliates. It includes content written by The Economist Intelligence Unit and other third parties."
  • October 28, 2009
    * New GAO Reports: 401(K) Plans, Higher Education and Disability, DOD Human Capital, NextGen Air Transport, Cyber Security
    • 401(K) Plans: Several Factors Can Diminish Retirement Savings, but Automatic Enrollment Shows Promise for Increasing Participation and Savings, GAO-10-153T, October 28, 2009
    • Higher Education and Disability: Education Needs a Coordinated Approach to Improve Its Assistance to Schools in Supporting Students, GAO-10-33, October 28, 2009
    • Human Capital: Monitoring of Safeguards and Addressing Employee Perceptions Are Key to Implementing a Civilian Performance Management System in DOD, GAO-10-102, October 28, 2009
    • Next Generation Air Transportation System: FAA Faces Challenges in Responding to Task Force Recommendations, GAO-10-188T, October 28, 2009
    • Critical Infrastructure Protection: Current Cyber Sector-Specific Planning Approach Needs Reassessment, GAO-09-969, September 24, 2009
    October 22, 2009
    * DOE OIG - The Agency's Unclassified Cyber Security Program 2009

    Evaluation Report, The Department's Unclassified, Cyber Security Program - 2009. DOE/IG-0828 October 2009

  • "Industry experts report that security challenges and threats are continually evolving as malicious activity has become more web-based and attackers are able to rapidly adapt their attack methods. In addition, the number of data breaches continues to rise. In an effort to mitigate and address threats and protect valuable information, the Department of Energy anticipated spending about $275 million in Fiscal Year (FY) 2009 to implement cyber security measures necessary to protect its information technology resources. These systems and data are designed to support the Department's mission and business lines of energy security, nuclear security, scientific discovery and innovation, and environmental responsibility."
  • October 19, 2009
    * Consumer Data Broker ChoicePoint Failed to Protect Consumers' Personal Data

    News release: "ChoicePoint, Inc., one of the nation’s largest data brokers, has agreed to strengthened data security requirements to settle Federal Trade Commission charges that the company failed to implement a comprehensive information security program protecting consumers’ sensitive information, as required by a previous court order. This failure left the door open to a data breach in 2008 that compromised the personal information of 13,750 people and put them at risk of identify theft. ChoicePoint has now agreed to a modified court order that expands its data security assessment and reporting duties and requires the company to pay $275,000. In April 2008, ChoicePoint (now a subsidiary of Reed Elsevier, Inc.) turned off a key electronic security tool used to monitor access to one of its databases, and for four months failed to detect that the security tool was off, according to the FTC. During that period, an unknown person conducted unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers. The searches continued for 30 days. After discovering the breach, the company brought the matter to the FTC’s attention."

    October 13, 2009
    * Rand: Cyberdeterrence and cyberwar

    Cyberdeterrence and cyberwar, by Martin C. Libicki: "This monograph presents the results of a fiscal year 2008 study, “Defining and Implementing Cyber Command and Cyber Warfare.” It discusses the use and limits of power in cyberspace, which has been likened to a medium of potential conflict, much as the air and space domains are. The study was conducted to help clarify and focus attention on the operational realities behind the phrase “fly and fight in cyberspace.” The basic message is simple: Cyberspace is its own medium with its own rules. Cyberattacks, for instance, are enabled not through the generation of force but by the exploitation of the enemy’s vulnerabilities. Permanent effects are hard to produce. The medium is fraught with ambiguities about who attacked and why, about what they achieved and whether they can do so again. Something that works today may not work tomorrow (indeed, precisely because it did work today). Thus, deterrence and warfighting tenets established in other media do not necessarily translate reliably into cyberspace. Such tenets must be rethought. This monograph is an attempt to start this rethinking."

    October 12, 2009
    October 07, 2009
    * FBI - Major Cyber Fraud Takedown

    FBI news release: "The largest number of defendants ever charged in a cyber crime case have been indicted in a multinational investigation conducted in the United States and Egypt that uncovered a sophisticated “phishing” operation that fraudulently collected personal information from thousands of victims that was used to defraud American banks. [October 7, 2009], authorities in several United States cities arrested 33 of 53 defendants named in an indictment returned last week by a federal grand jury in Los Angeles. Several defendants charged in the indictment are being sought this morning by law enforcement. Additionally, authorities in Egypt have charged 47 defendants linked to the phishing scheme. The United States government is extremely grateful for the extraordinary assistance provided by the Egyptian government in this matter."

  • Citing Cybercrime, FBI Director Doesn't Bank Online: "The head of the U.S. Federal Bureau of Investigation has stopped banking online after nearly falling for a phishing attempt."
  • October 04, 2009
    * Cyber In-Security: Strengthening the Federal Cybersecurity Workforce

    "The U.S. is facing a cyber war. Foreign powers, criminal groups, hackers, and terrorist organizations have launched cyber attacks on the White House, Pentagon, State Department, and New York Stock Exchange; stolen data from the Pentagon’s fighter aircraft; and hacked into the nation’s electrical grid. There were millions of attempts to penetrate defense digital networks in 2008. In 2009, the General Accountability Office reported weaknesses in the capabilities of 23 of 24 federal agencies to detect or prevent cyber attacks. President Obama declared cybersecurity to be one of the nation’s most serious economic and security challenges. The federal government needs a coordinated, sustained effort to build the capability and caliber of the government’s cybersecurity workforce to combat these threats and ensure the nation’s safety. Booz Allen Hamilton and the Partnership for Public Service examined the state of the federal cybersecurity workforce by interviewing federal experts, examining public testimony and reports, holding focus groups, and surveying chief information officers (CIOs), chief information security officers (CISOs), and human resource professionals at 18 federal agencies. Results of this research were published in the study, Cyber In-Security: Strengthening the Federal Cybersecurity Workforce."

    October 02, 2009
    * UK Cybercrime Report 2009

    UK Cybercrime Report 2009

  • "UK cybercrime has rebounded to worrying levels, not seen since 2006, as a result of the recession and consumer complacency, according to Garlik’s annual UK Cybercrime report, now in its third year. The report, which analyses publicly available data to build a comprehensive view of cybercrime in the UK, revealed that during 2008 cybercriminals adapted to the social and economic changes in the UK to exploit victims in new ways and commit over 3.6 million criminal acts online (that’s over one every 10 seconds). In addition, the researchers believe that there is a growing complacency amongst consumers, demonstrating poor understanding of their responsibility to protect their personal information against fraud. One of the most significant changes in cybercrime has been the 207% increase in account takeover fraud indicating that criminals have now shifted their efforts from opening new accounts with stolen identities to accessing existing accounts. Savvy criminals have got round the drying up of available credit in the current economic climate to maintain their illegal activities. The report also highlights that online banking fraud has increased by a staggering 132%, with losses totalling £52.5 million, compared to £22.6 million in the previous year. This sharp rise can be mostly attributed to nearly 44,000 phishing websites specifically targeting banks and building societies in the UK. The total number of cybercrimes has increased annually between 2006 and 2008, however, the good news is that sexual offences have decreased as a category each year. All other categories dipped in 2007 but then in 2008 bounced back above their 2006 figure."
  • October 01, 2009
    * National Cybersecurity Awareness Month

    National Cybersecurity Awareness Month: "October marks the sixth annual National Cybersecurity Awareness Month sponsored by the Department of Homeland Security. The theme for National Cybersecurity Awareness Month 2009 is “Our Shared Responsibility” to reinforce the message that all computer users, not just industry and government, have a responsibility to practice good “cyber hygiene” and to protect themselves and their families at home, at work and at school. Americans can follow a few simple steps to keep themselves safe online. By doing so, you will not only keep your personal assets and information secure but you will also help to improve the overall security of cyberspace."

    September 19, 2009
    * Legality of Intrusion-Detection System To Protect Unclassified Computers Networks In Executive Branch

    In following this January 9, 2009 memo, Legal Issues Relating to the Testing, Use and Deployment of an Intrusion-Detection System (EINSTEIN 2.0) to Protect Unclassified Computer Networks in the Executive Branch, this DOJ memo released September 18, 2009: Legality of Intrusion-Detection System To Protect Unclassified Computers Networks In Executive Branch - "Operation of the EINSTEIN 2.0 intrusion-detection system complies with the Fourth Amendment to the Constitution, title III of the Omnibus Crime Control and Safe Streets Act of 1968, the Foreign Intelligence Surveillance Act, the Stored Communications Act, and the pen register and trap and trace provisions of chapter 206 of title 18, United States Code, provided that certain log-on banners or computer-user agreements are consistently adopted, implemented, and enforced by executive departments and agencies using the system. Operation of the EINSTEIN 2.0 system also does not run afoul of state wiretapping or communications privacy laws."

  • Department of Homeland Security Privacy Impact Assessment EINSTEIN 2, May 19, 2008. United States Computer Emergency Readiness Team (US-CERT): "EINSTEIN 2, will incorporate network intrusion detection technology capable of alerting the United States Computer Emergency Readiness Team (US‐CERT) to the presence of malicious or potentially harmful computer network activity in federal executive agencies’ network traffic. EINSTEIN 2 principally relies on commercially available intrusion detection capabilities to increase the situational awareness of the US‐CERT. This network intrusion detection technology uses a set of pre‐defined signatures based upon known malicious network traffic."
  • September 16, 2009
    * Google Buys reCAPTCHA - free anti-bot service that helps digitize books.

    "reCAPTCHA is a free CAPTCHA service that helps to digitize books, newspapers and old time radio shows...A CAPTCHA is a program that can tell whether its user is a human or a computer. You've probably seen them — colorful images with distorted text at the bottom of Web registration forms. CAPTCHAs are used by many websites to prevent abuse from "bots," or automated programs usually written to generate spam. No computer program can read distorted text as well as humans can, so bots cannot navigate sites protected by CAPTCHAs."

  • Official Google Blog - Teaching computers to read: Google acquires reCAPTCHA
  • September 13, 2009
    * Senators Lieberman, Collins Point to Cybercrime Epidemic

    News release: "Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, ID-Conn., and Ranking Member Susan Collins, R-Me., Sunday said the latest trend in cybercrime is directed at small to medium sized companies that have been robbed of both data and dollars...The thieves steal in amounts under $10,000 to avoid triggering a bank report required by anti-money laundering law. The malware is so well written that the traffic seems to be coming from an authorized computer – and possibly is a legitimate computer that has been commandeered. The money is then transferred to “money mules” who may have been recruited over internet job boards or who have posted resumes on a job listing serviceThe Committee will hold a hearing September 14, 2009, Cyber Attacks: Protecting Industry Against Growing Threats, to examine this new trend, and the Senators plan to introduce broad cyber security legislation later this fall that will improve cyber security in the private sector."

    September 11, 2009
    * International Hacker Pleads Guilty for Massive Hacks of U.S. Retail Networks

    Follow up to August 1, 2009 posting - Alleged International Hacker Indicted for Massive Attack on U.S. Retail and Banking Networks - today's news release: "An international computer hacker pleaded guilty today to multiple charges relating to hacking activity and credit card fraud, announced Assistant Attorney General of the Criminal Division Lanny A. Breuer, Acting U.S. Attorney for the District of Massachusetts Michael Loucks, U.S. Attorney for the Eastern District of New York Benton J. Campbell and Director of the U.S. Secret Service Mark Sullivan. More than 40 million credit and debit card numbers were stolen from major U.S. retailers as a result of the hacking activity. Albert Gonzalez, 28, of Miami, pleaded guilty today to 19 counts of conspiracy, computer fraud, wire fraud, access device fraud and aggravated identity theft relating to hacks into numerous major U.S. retailers including TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority. Gonzalez was indicted in August 2008 in the District of Massachusetts on charges related to these hacks."

    August 20, 2009
    * New Release Identifies Proliferation of ID Theft Malware

    "PandaLabs issued a release on the proliferation of identity theft malware during times of economic crisis. Our research found that the number of users affected by malware designed for identity theft has increased 600 percent this year compared to the same time in 2008. PandaLabs receives nearly 37,000 samples of new viruses, worms, Trojans and other types of Internet threats each day. Of these, 71 percent are Trojans, mostly aimed at stealing bank details or credit card numbers, as well as passwords for other commercial services. Between January and July 2009, PandaLabs received 11 million new threats, approximately 8 million of which were Trojans. This is in clear contrast, for example, to the average of 51 percent of new Trojans that PandaLabs received in 2007."

    August 17, 2009
    * Alleged International Hacker Indicted for Massive Attack on U.S. Retail and Banking Networks

    News release: "Albert Gonzalez, 28, of Miami, Fla., was indicted today for conspiring to hack into computer networks supporting major American retail and financial organizations, and stealing data relating to more than 130 million credit and debit cards, announced Assistant Attorney General of the Criminal Division Lanny A. Breuer, Acting U.S. Attorney for the District of New Jersey Ralph J. Marra Jr. and U.S. Secret Service Assistant Director for Investigations Michael Merritt...The indictment, which details the largest alleged credit and debit card data breach ever charged in the United States, alleges that beginning in October 2006, Gonzalez and his co-conspirators researched the credit and debit card systems used by their victims; devised a sophisticated attack to penetrate their networks and steal credit and debit card data; and then sent that data to computer servers they operated in California, Illinois, Latvia, the Netherlands and Ukraine. The indictment also alleges Gonzalez and his co-conspirators also used sophisticated hacker techniques to cover their tracks and to avoid detection by anti-virus software used by their victims."

    August 05, 2009
    * Remarks by Secretary Napolitano at the Global Cyber Security Conference

    Remarks by Secretary Napolitano at the Global Cyber Security Conference, August 4, 2009: "We have to look at the landscape now; but, more important, we have to—I think—acknowledge amongst ourselves that in terms of cybersecurity we've been living in a cyber 1.0 world and we need to be cyber 3.0 and beyond. Because the minute we start talking about a particular methodology of cyber the cyber bad guys are already moving ahead. This is a very, very rapidly evolving environment in which real crime and real damage can occur."

    July 23, 2009
    * FTC Testifies About Efforts to Combat Fraudulent and Deceptive Advertising

    News release: "The Federal Trade Commission testified today before the U.S. Senate on its efforts to combat deceptive advertising in the face of rapid changes in health care, technology, and online marketing strategies. In testimony before the Senate Committee on Commerce, Science, and Transportation’s Subcommittee on Consumer Protection, Product Safety, and Insurance, David Vladeck, Director of the FTC’s Bureau of Consumer Protection, described the Commission’s recent law enforcement and regulatory efforts addressing deceptive advertising."

    July 18, 2009
    * Javelin: U.S. Credit Card Issuers Dramatically Improve Customer Fraud Detection

    News release: Javelin Strategy & Research released its Fifth Annual Card Issuers’ Identity Safety Scorecard, which analyzes the top 25 U.S. card issuers’ capabilities for protecting customers from identity fraud. To compile the report, Javelin incorporated data from annual household, consumer, and issuer surveys using Javelin’s Prevention, Detection and Resolution™ criteria to accurately reflect customer demands and trends in how issuers protect against fraud. The Javelin scorecard is a structured assessment of each issuer’s fraud protection services. The scorecard ranks features that best empower two major victims of the nation’s $48B identity fraud problem—cardholders and issuers—showing how to turn the tables on a worrying method of crime."

    July 14, 2009
    * FTC Testifies About Crackdown on Scams Tied to the Economic Downturn

    News release: "The Federal Trade Commission testified before the U.S. Senate today on the agency’s campaign to crack down on scammers who are trying to take advantage of the economic downturn to push a variety of scams, such as phony job-placement and debt-reduction services, get-rich-quick schemes, and bogus government grants...In response to the rise in financial distress scams, on July 1, 2009, the Commission announced “Operation Short Change,” a joint initiative with 14 states, the Department of Justice, and other agencies that included more than 120 law enforcement actions."

  • Hearing - The Economy and Fraud: Protecting Consumers During Downward Economic Times - Consumer Protection, Product Safety, and Insurance: "The reality is that with the economic challenges we face, families are more vulnerable than ever to financial scams, predatory marketing practices, and economic fraud. We all see the news every day about more layoffs, plant closings, soaring prices and more cutbacks in West Virginia and across the nation. No one deserves the potential ruin these schemes threaten. We have a responsibility to uncover them and provide consumers with the tools they need to avoid becoming victims of fraud and abuse.”
  • Related postings on financial system
  • July 12, 2009
    * PBS Frontline: Ghana - Digital Dumping Ground

    PBS.org FRONTLINE - Ghana, Digital Dumping Ground: "When containers of old computers first began arriving in West Africa a few years ago, Ghanaians welcomed what they thought were donations to help bridge the digital divide. But soon exporters learned to exploit the loopholes by labeling junk computers "donations"...[What is on the hard drives from this junk PCs'?] There is private financial data...credit card numbers, account information, records of online transactions the original owners may not have realized were even there. Ghana is listed by the U.S. State Department as one of the top sources of cyber crime in the world. And it's not just individuals who are exposed. One of the drives the team has purchased contains a $22 million government contract. It turns out the drive came from Northrop Grumman, one of America's largest military contractors. And it contains details about sensitive, multi-million dollar U.S. government contracts. They also find contracts with the defense intelligence agency, NASA, even Homeland Security."

  • Related postings on e-waste and recycling
  • July 01, 2009
    * FTC Cracks Down on Scammers Trying to Take Advantage of the Economic Downturn

    News release: "The Federal Trade Commission today announced a law enforcement crackdown on scammers trying to take advantage of the economic downturn to bilk vulnerable consumers through a variety of schemes, such as promising non-existent jobs; promoting overhyped get-rich-quick plans, bogus government grants, and phony debt-reduction services; or putting unauthorized charges on consumers’ credit or debit cards. Dubbed “Operation Short Change,” the law enforcement sweep announced today includes 15 FTC cases, 44 law enforcement actions by the Department of Justice, and actions by at least 13 states and the District of Columbia."

  • Related postings on financial system
  • June 25, 2009
    * DOE OIG: Incident Handling and Privacy Act

    U.S. Department of Education, Office of Inspector General, Information Technology Audits Division - Incident Handling and Privacy Act Controls over External Web Sites, Final Audit Report, Redacted, ED-OIG/A11I0006, June 10, 2009.

  • "Based on our review, the Department’s Chief Information Officer (CIO) must improve security controls over the incident response and handling program and accelerate two-factor authentication for protecting Privacy Act information to adequately protect the confidentiality, integrity, and availability of the personally identifiable information (PII) data residing on public web sites. During our audit, we also identified significant conditions related to the work performed regarding [Redacted Text] and public domain web site establishment and maintenance.
  • June 24, 2009
    * Comparing Technology Innovation in the Private and Public Sectors

    "Corporate websites generally offer more innovative features than public-sector sites, largely because the private sector spends about a third more on websites, according to a Brookings Institution study, Comparing Technology Innovation in the Private and Public Sectors. The study, released in mid-June, compares the websites of leading U.S. corporations with state and national governments, grades their overall performance, and examines nearly two dozen features of digital innovation.

    Using a 100-point scale, the study report concludes that corporations have the most innovative websites (65 points) and are trailed as a group by state government (54) and federal government (51). The top-rated site in the federal government category, USA.gov (92), equaled the score for the top-rated corporate site, WellsFargo.com. Other top-rated federal sites were USDA.gov, GSA.gov, USPS.com, IRS.gov, and ED.gov. Delaware.gov (83.7) was the top-rated state site, followed by the official websites of Georgia, Florida, California, Massachusetts and Maine. The report also revealed that public websites provide more security and are better at protecting privacy. Although federal government websites were the most accessible to users with disabilities, 75% percent of its websites were not completely accessible."

    June 23, 2009
    * Defense Secretary Announces Creation of Unified U.S. Cyber Command

    WSJ: "Defense Secretary Robert Gates created a new military command dedicated to cyber security on Tuesday, reflecting the Obama administration's plans to centralize and elevate computer security as a major national-security issue. In a memo to senior Pentagon officials, Mr. Gates said he intends to recommend that Lt. Gen. Keith Alexander, director of the National Security Agency, take on the additional role as commander of the Cyber Command with the rank of a four-star general."

    June 17, 2009
    * New GAO Reports: Broadcasting to Cuba, Polar-Orbiting Satellites, Troubled Asset Relief Program, American Battle Monuments
    • Broadcasting to Cuba: Observations Regarding TV Marti's Strategy and Operations, GAO-09-758T, June 17, 2009
    • Identity Theft: Governments Have Acted to Protect Personally Identifiable Information, but Vulnerabilities Remain, GAO-09-759T, June 17, 2009
    • Polar-Orbiting Environmental Satellites: With Costs Increasing and Data Continuity at Risk, Improvements Needed in Tri-agency Decision Making, GAO-09-564, June 17, 2009
    • Polar-Orbiting Satellites: With Costs Increasing and Data Continuity at Risk, Improvements Needed in Tri-agency Decision Making, http://www.gao.gov/new.items/d09772t.pdf, June 17, 2009
    • Telecommunications: Preliminary Observations about Consumer Satisfaction and Problems with Wireless Phone Service and FCC's Efforts to Assist Consumers with Complaints, GAO-09-800T, June 17, 2009
    • Troubled Asset Relief Program: June 2009 Status of Efforts to Address Transparency and Accountability Issues, GAO-09-658, June 17, 2009
    • American Battle Monuments Commission: Management Action Needed to Improve Internal Control Procedures, GAO-09-714R, June 17, 2008
    June 14, 2009
    * Cyber-Ark 2009 Trust, Security & Passwords Survey Research Brief

    2009 Trust, Security & Passwords Survey Research Brief: "This global "snooping" survey is the third in a series of benchmark studies focused on identifying security and privacy trends among IT workers. Results are intended to raise awareness about the risks associated with powerful, and often unmanaged, privileged users and passwords. While seemingly innocuous, these accounts provide workers with "keys to the kingdom," allowing them to access critically sensitive information, no matter where it resides."

    June 11, 2009
    * Federal Agencies Issue Frequently Asked Questions on Identity Theft Rules

    News release: "Six federal agencies issued a set of frequently asked questions (FAQs) today to help financial institutions, creditors, users of consumer reports, and issuers of credit cards and debit cards comply with federal regulations on identity theft and discrepancies in changes of address. The “Red Flags and Address Discrepancy Rules,” which implement sections of the Fair and Accurate Credit Transactions Act of 2003, were issued jointly on November 9, 2007, by the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), and Federal Trade Commission (FTC)."

  • Frequently Asked Questions: Identity Theft Red Flags and Address Discrepancies
  • June 09, 2009
    * DHS OIG: Progress in Addressing Security Challenges at Washington Dulles International Airport

    OIG-09-66 - DHS' Progress in Addressing Technical Security Challenges at Washington Dulles International Airport (Redacted), May 2009

  • "...more work is needed to address physical and environmental control deficiencies. CBP also needs to implement technical controls to ensure that it is using the most current version of operating systems. Further, CBP [U.S. Customs and Border Protection] should ensure that system documentation includes information concerning vulnerabilities and accepted risks."
  • June 07, 2009
    * FTC Shuts Down Notorious Rogue Internet Service Provider

    News release: "A rogue Internet Service Provider that recruits, knowingly hosts, and actively participates in the distribution of spam, child pornography, and other harmful electronic content has been shut down by a district court judge at the request of the Federal Trade Commission. The ISP’s upstream providers and data centers have disconnected its servers from the Internet."

  • Federal Trade Commission v. Pricewert LLC also d/b/a 3FN.net, Triple Fiber Network, APS Communications, and APS Communication
  • May 29, 2009
    * Cyberspace Policy Review - Assuring a Trusted and Resilient Information and Communications Infrastructure

    White House: Securing Our Digital Future, Melissa Hathaway, Cybersecurity Chief at the National Security Council, discusses securing our nation's digital future.

  • Cyberspace Policy Review - Assuring a Trusted and Resilient Information and Communications Infrastructure, May 29, 2009: "The President directed a 60-day, comprehensive, “clean-slate” review to assess U.S. policies and structures for cybersecurity. Cybersecurity policy includes strategy, policy, and standards regarding the security of and operations in cyberspace, and encompasses the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure. The scope does not include other information and communications policy unrelated to national security or securing the infrastructure. The review team of government cybersecurity experts engaged and received input from a broad cross-section of industry, academia, the civil liberties and privacy communities, State governments, international partners, and the Legislative and Executive Branches. This paper summarizes the review team’s conclusions and outlines the beginning of the way forward towards a reliable, resilient, trustworthy digital infrastructure for the future."
  • * New GAO Reports: Federal Reserve Banks Security Controls, National Preparedness
    • Defense Management: Observations on DOD's Analysis of Options for Improving Corrosion Prevention and Control through Earlier Planning in the Requirements and Acquisition Processes, GAO-09-694R, May 29, 2009
    • Federal Reserve Banks: Areas for Improvement in Information Security Controls, GAO-09-722R, May 29, 2009
    • Financial Audit: Senate Restaurants Revolving Fund for Fiscal Years 2008 and 2007, GAO-09-409, May 29, 2009
    • Sponsored Noncitizens and Public Benefits: More Clarity in Federal Guidance and Better Access to Federal Information Could Improve Implementation of Income Eligibility Rules, GAO-09-375, May 19, 2009
    • National Preparedness: FEMA Has Made Progress, but Needs to Complete and Integrate Planning, Exercise, and Assessment Efforts, GAO-09-369, May 07, 2009
    May 28, 2009
    * NIST: Working Definition of Cloud Computing Released

    "NIST announces that its working definition of cloud computing is available. Researchers worked in collaboration with industry and government to draft the definition that serves as a foundation for its research and future publication on the topic. Cloud computing is a pay-per-use model for enabling available, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. Researchers are studying cloud architectures, economics, security and deployment strategies for the federal government."

    May 25, 2009
    * U.S. Government Agencies and Internet Retailers Receive Failing Grade in

    News release: " The Online Trust Alliance (OTA) gave leading government agencies and online retailers a failing grade in preventing deceptive email and phishing scams based on its newly released analysis of email authentication adoption. While adoption has grown over the past year, OTA found approximately 56 percent of the top .gov sites – including Whitehouse.gov, FBI.gov, Treasury.gov and DHS.gov – still are not protecting U.S. citizens through the use of email authentication. At the same time, progress has been made by other government agencies including the Census Bureau, CIA, FDIC, VA and FTC."

    * OTA releases drafts Online Safety Principles for Public Comment

    News release: "...the Online Trust Alliance (OTA) released its 2009 draft Online Trust Principles for public comment. The Principles are a major step toward establishing business practices that afford greater consumer online protection and the long term vitality of online commence and interactive marketing."

    May 08, 2009
    * DOT OIG: Review of Web Applications Security and Intrusion Detection in Air Traffic Control Systems

    Review of Web Applications Security and Intrusion Detection in Air Traffic Control Systems, May 04, 2009

  • "On May 4, 2009, we issued our report on Federal Aviation Administration (FAA) web applications security and intrusion detection in air traffic control (ATC) systems, requested by the Ranking Minority Members of the full House Transportation and Infrastructure Committee and its Aviation Subcommittee. We found that web applications used in supporting ATC systems operations were not properly secured to prevent attacks or unauthorized access. During the audit, our staff gained unauthorized access to information stored on web application computers and an ATC system, and confirmed system vulnerability to malicious code attacks. In addition, we found that FAA had not established adequate intrusion–detection capability to monitor and detect potential cyber security incidents at ATC facilities. Intrusion–detection systems have been deployed to only 11 (out of hundreds of) ATC facilities. Also, cyber incidents detected were not remediated in a timely manner."
  • May 05, 2009
    * New GAO Reports: Cyber Threats and Federal Systems, GAO Oversight
    • Information Security: Cyber Threats and Vulnerabilities Place Federal Systems at Risk, GAO-09-661T, May 5, 2009: "Cyber threats to federal information systems and cyber-based critical infrastructures are evolving and growing. These threats can be unintentional and intentional, targeted or nontargeted, and can come from a variety of sources, such as foreign nations engaged in espionage and information warfare, criminals, hackers, virus writers, and disgruntled employees and contractors working within an organization. Moreover, these groups and individuals have a variety of attack techniques at their disposal, and cyber exploitation activity has grown more sophisticated, more targeted, and more serious. As government, private sector, and personal activities continue to move to networked operations, as digital systems add ever more capabilities, as wireless systems become more ubiquitous, and as the design, manufacture, and service of information technology have moved overseas, the threat will continue to grow."
    • Recovery Act: GAO's Efforts to Work with the Accountability Community to Help Ensure Effective and Efficient Oversight, GAO-09-672T, May 5, 2009: "GAO is carrying out its responsibilities to review the uses of Recovery Act funds and will also target certain areas for additional review using a riskbased approach. GAO’s first bimonthly report examined the steps 16 states, the District of Columbia, and selected localities are taking to use and oversee Recovery Act funds. These states contain about 65 percent of the U.S. population and are estimated to receive about two-thirds of the intergovernmental grant funds available through the Recovery Act. GAO’s report made several recommendations to the Office of Management and Budget (OMB) toward improving accountability and transparency requirements; clarifying the Recovery Act funds that can be used to support state efforts to ensure accountability and oversight; and improving communications with Recovery Act funds recipients."
    • Related postings on financial system
    April 15, 2009
    * Symantec Internet Security Threat Report Volume XIV: April, 2009

    "The Symantec Internet Security Threat Report offers analysis and discussion of threat activity over a one-year period. It covers Internet threat activities, vulnerabilities, malicious code, phishing, spam and security risks as well as future trends. The fourteenth version of the report, released April 14, 2009, is now available."

  • Internet Security Threat Report Volume XIV: April, 2009 - Analysis of threat activity January - December 2008.
  • Executive Summary: April, 2009
  • April 14, 2009
    * DHS Reports on Rightwing and Leftwing Extremists
    April 07, 2009
    * WSJ: Electricity Grid in U.S. Penetrated by Spies

    "Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials...But protecting the electrical grid and other infrastructure is a key part of the Obama administration's cybersecurity review, which is to be completed next week. Under the Bush administration, Congress approved $17 billion in secret funds to protect government networks, according to people familiar with the budget. The Obama administration is weighing whether to expand the program to address vulnerabilities in private computer networks, which would cost billions of dollars more. A senior Pentagon official said Tuesday the Pentagon has spent $100 million in the past six months repairing cyber damage."

  • See also North American Electric Reliability Corporation letter to Industry Stakeholders, April 7, 2009: "...as we consider cyber security, a host of new considerations arise. Rather than considering the unexpected failure of a digital protection and control device within a substation, for example, system planners and operators will need to consider the potential for the simultaneous manipulation of all devices in the substation or, worse yet, across multiple substations...One of the more significant elements of a cyber threat, contributing to the uniqueness of cyber risk, is the cross-cutting and horizontal nature of networked technology that provides the means for an intelligent cyber attacker to impact multiple assets at once, and from a distance."
  • * Sustainable Critical Infrastructure Systems: A Framework for Meeting 21st Century Imperatives

    National Academies Press, prepublication: Sustainable Critical Infrastructure Systems: A Framework for Meeting 21st Century Imperatives, 2009.

  • "For the people of the United States, the 20th century was one of unprecedented population growth, economic development, and improved quality of life. The critical infrastructure systems-water, wastewater, power, transportation, and telecommunications-built in the 20th century have become so much a part of modern life that they are taken for granted. By 2030, 60 million more Americans will expect these systems to deliver essential services. Large segments and components of the nation's critical infrastructure systems are now 50 to 100 years old, and their performance and condition are deteriorating. Improvements are clearly necessary. However, approaching infrastructure renewal by continuing to use the same processes, practices, technologies, and materials that were developed in the 20th century will likely yield the same results: increasing instances of service disruptions, higher operating and repair costs, and the possibility of catastrophic, cascading failures. If the nation is to meet some of the important challenges of the 21st century, a new paradigm for the renewal of critical infrastructure systems is needed. This book discusses the essential components of this new paradigm, and outlines a framework to ensure that ongoing activities, knowledge, and technologies can be aligned and leveraged to help meet multiple national objectives."
  • April 06, 2009
    * CRS: Comprehensive National Cybersecurity Initiative: Legal Authorities and Policy Considerations

    Follow up to April 5, 2009 posting Senate Staff Working Draft of Cybersecurity Act of 2009, see this related CRS report: Comprehensive National Cybersecurity Initiative (CNCI): Legal Authorities and Policy Considerations, March 10, 2009

  • "In response to the CNCI and other proposals, questions have emerged regarding: (1) the adequacy of existing legal authorities—statutory or constitutional—for responding to cyber threats; and (2)
    the appropriate roles for the executive and legislative branches in addressing cybersecurity. The new and emerging nature of cyber threats complicates these questions. Although existing statutory provisions might authorize some modest actions, inherent constitutional powers currently provide the most plausible legal basis for many potential executive responses to national security related cyber incidences. Given that cyber threats originate from various sources, it is difficult to determine whether actions to prevent cyber attacks fit within the traditional scope of executive power to conduct war and foreign affairs. Nonetheless, under the Supreme Court jurisprudence, it appears that the President is not prevented from taking action in the cybersecurity arena, at least until Congress takes further action. Regardless, Congress has a
    continuing oversight and appropriations role. In addition, potential government responses could be limited by individuals’ constitutional rights or international laws of war. This report discusses the legal issues and addresses policy considerations related to the CNCI."
  • April 05, 2009
    * Senate Staff Working Draft of Cybersecurity Act of 2009

    CDT: "A cybersecurity bill introduced April 01, 2009 in the Senate would give the federal government extraordinary power over private sector Internet services, applications and software. The Cybersecurity Act of 2009 would, for example, give the President unfettered power to shut down Internet traffic in emergencies or disconnect any critical infrastructure system or network on national security grounds. The bill would grant the Commerce Department the ability to override all privacy laws to access any information about Internet usage in connection with a new role in tracking cybersecurity threats. The bill, introduced by Sens. John Rockefeller and Olympia Snowe, would also give the government unprecedented control over computer software and Internet services, threatening innovation, freedom and privacy. CDT President and CEO Leslie Harris said, "The cybersecurity threat is real, but such a drastic federal intervention in private communications technology and networks could harm both security and privacy."

  • Cybersecurity Act of 2009, April 01, 2009: "To ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cyber security defenses against disruption, and for other purposes."
  • Bill Creating a White House Cybersecurity Advisor, April 01, 2009

  • March 30, 2009
    * FBI's Internet Crime Complaint Center - 2008 Internet Crime Report

    "In December 2003, the Internet Fraud Complaint Center (IFCC) was renamed the Internet Crime Complaint Center (IC3) to better reflect the broad character of such criminal matters having a cyber (Internet) nexus. The 2008 Internet Crime Report is the eighth annual compilation of information on complaints received and referred by the IC3 to law enforcement or regulatory agencies for appropriate action. From January 1, 2008 – December 31, 2008, the IC3 website received 275,284 complaint submissions. This is a (33.1%) increase when compared to 2007 when 206,884 complaints were received. These filings were composed of complaints primarily related to fraudulent and non-fraudulent issues on the Internet."

    March 06, 2009
    * Director of National Cybersecurity Center Resigns

    WSJ: "The government's coordinator for cybersecurity programs has quit, criticizing what he described as the National Security Agency's grip on cybersecurity. Rod Beckstrom, a former Silicon Valley entrepreneur, said in his resignation letter that the NSA's central role in cybersecurity is "a bad strategy" because it is important to have a civilian agency taking a key role in the issue. The NSA is part of the Department of Defense."

  • Mr. Beckstrom's resignation letter: "...the NCSC [National Cybersecurity Center] did not receive appropriate support inside DHS during the last administration to fully realize its vital role."
  • March 01, 2009
    * FTC Releases List of Top Consumer Complaints in 2008

    "The Federal Trade Commission released the list of top consumer complaints received by the agency in 2008. The list, contained in the publication Consumer Sentinel Network Data Book for January-December 2008, showed that for the ninth year in a row, identity theft was the number one consumer complaint category. Of 1,223,370 complaints received in 2008, 313,982 – or 26 percent – were related to identity theft."

  • "The Consumer Sentinel Network (CSN) received over 1.2 million complaints during calendar year 2008: 52% fraud complaints; 26% identity theft complaints; and 22% other types of complaints. This year’s report is the first to include the other types of complaints. Identity theft was the number one complaint category in the CSN for calendar year 2008 with 26% of the overall complaints, followed by Third Party and Creditor Debt Collection (9%); Shop-at-Home and Catalog Sales (4%); Internet Services (4%); Foreign Money Offers and Counterfeit Check Scams (3%); Credit Bureaus, Information Furnishers and Report Users (3%); Prizes, Sweepstakes and Lotteries (3%); Television and Electronic Media (2%); Banks and Lenders (2%); and Telecom Equipment and Mobile Services (2%)."
  • February 23, 2009
    * Report: Data Loss Risks During Downsizing

    Data Loss Risks During Downsizing As Employees Exit, so does Corporate Data, February 23, 2009

  • "Sponsored by Symantec, Ponemon Institute independently conducted this national study...to understand what employees are doing with the data on the laptops their employers provided them. According to our findings, 59% of employees who leave or are asked to leave are stealing company data. Moreover, 79% of these respondents admit that their former employer did not permit them to leave with company data. Our study reveals that companies are doing a very poor job at preventing former employees from stealing data. Only 15% of respondents’ companies review or perform an audit of the paper and/or electronic documents employees are taking. If they conduct a review, 45% say it was not complete and 29% say it was superficial."
  • February 10, 2009
    * President Obama Directs the National Security and Homeland Security Advisors to Conduct Immediate Cyber Security Review

    News release: "President Obama has directed the National Security and Homeland Security Advisors to conduct an immediate review of the plan, programs, and activities underway throughout the government dedicated to cyber security. This 60-day interagency review will develop a strategic framework to ensure that U.S. Government cyber security initiatives are appropriately integrated, resourced and coordinated with Congress and the private sector. "The national security and economic health of the United States depend on the security, stability, and integrity of our Nation’s cyberspace, both in the public and private sectors. The President is confident that we can protect our nation’s critical cyber infrastructure while at the same time adhering to the rule of law and safeguarding privacy rights and civil liberties," said Assistant to the President for Counterterrorism and Homeland Security John Brennan. Melissa Hathaway, who has served as Cyber coordination Executive to the Director of National Intelligence, will lead the review and will serve as Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils during the review period."

    February 01, 2009
    * CWE/SANS TOP 25 Most Dangerous Programming Errors

    News release: "...experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime. Shockingly, most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale. The impact of these errors is far reaching. Just two of them led to more than 1.5 million web site security breaches during 2008 - and those breaches cascaded onto the computers of people who visited those web sites, turning their computers into zombies."

    The Top 25 Errors are listed below in three categories:

    January 09, 2009
    * PWC: Global state of information security survey 2008

    "The Global state of information security survey 2008 is a worldwide security survey by PricewaterhouseCoopers, CIO Magazine and CSO Magazine. It was conducted online from March 25 to June 26, 2008. Readers of CIO and CSO Magazines and clients of PricewaterhouseCoopers from around the globe were invited via email to take the survey. The results discussed in this report are based on the responses of more than 7,000 CEOs, CFOs, CIOs, CSOs, vice presidents and directors of IT and information security from 119 countries. Thirty-nine percent (39%) of respondents were from North America, twenty-seven percent (27%) from Europe, seventeen percent (17%) from Asia, fifteen percent (15%) from South America, and two percent (2%) from the Middle East and South Africa."

    January 07, 2009
    * Identity Theft Resource Center's 2008 Breach Report

    News release: "Reports of data breaches increased dramatically in 2008. The Identity Theft Resource Center's 2008 breach report reached 656 reported breaches at the end of 2008, reflecting an increase of 47% over last year’s total of 446. In terms of sub-divisions by type of entity, the rankings have not changed between 2007 and 2008 within the five groups that ITRC monitors. The financial, banking and credit industries have remained the most proactive groups in terms of data protection over all three years. The Government/Military category has dropped nearly 50% since 2006, moving from the highest number of breaches to the third highest."

    December 20, 2008
    * Coalition Letter to President-elect Obama on the Future of Privacy

    "Thirty privacy, consumer, and civil liberties organizations sent a letter to President-elect Barack Obama on the importance of protecting privacy in the next administration. The organizations support the incoming president’s expressed on privacy, consumer rights, and civil liberties. President-elect Obama stated support for strengthening of privacy protection by harnessing the power of technology to hold government and businesses accountable for violations of personal privacy. The coalition said that “[t]here is a clear need to address the spiraling problems of identity theft, security breaches, and the commercialization of personal information.” For more information visit EPIC’s A-Z Privacy Page."

    December 18, 2008
    * FTC Issues Report on Social Security Numbers and Identity Theft

    News release: "The Federal Trade Commission issued a report today recommending five measures to help prevent Social Security numbers from being used for identity theft. Principal among the report’s recommendations is that Congress consider taking action to strengthen the procedures that private-sector organizations use to authenticate their customers’ identities...The FTC report states that adopting nationwide standards for how businesses and other organizations verify the identity of new and existing customers would make it harder for identity thieves to use SSNs and other stolen information to consummate their fraud...The FTC report also recommends that steps be taken to reduce the unnecessary display and transmission of SSNs, but noted that such restrictions must be approached carefully. A number of important functions in the U.S. economy depend on use of and access to SSNs, and the report concluded that overly restrictive attempts to limit the availability of SSNs could unintentionally curtail those functions. Finally, the report recommends steps to improve data security, increase outreach to consumers and businesses on the protection of SSNs, and enhance coordination and information-sharing among organizations that routinely use SSNs."

  • Security In Numbers: Social Security Numbers and Identity Theft: A Federal Trade Commission Report Providing Recommendations On Social Security Number Use In the Private Sector (December 2008)
  • December 08, 2008
    * Securing Cyberspace for the 44th Presidency

    "The Center for Strategic and International Studies (CSIS) Commission on Cybersecurity for the 44th Presidency has released its final report, Securing Cyberspace for the 44th Presidency. The Commission’s three major findings are: cybersecurity is now one of the major national security problems facing the United States; decisions and actions must respect American values related to privacy and civil liberties; and only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will improve the situation."

    December 01, 2008
    * DOE OIG Reports: Grenade Launcher Qualification Requirements, Cyber Security Risk Management Practice

  • Inspection Report - 40 MM Grenade Launcher Qualification Requirements at Department of Energy Sites, November 2008: "The Department of Energy and its National Nuclear Security Administration (NNSA), operate some of the most sensitive Federal facilities in the United States. Because of the mission requirements, safeguards and security is a top priority at these sites. As part of its security regime, the Department maintains a cadre of armed protective force officers to prevent and defend against malevolent acts. In recent years, the Department has worked to enhance security by increasing the capabilities of weapon systems used by the protective force officers. One such weapon is the 40 mm grenade launcher, which utilizes high explosive ammunition to defeat adversary personnel and equipment. A number of Department sites have procured these
    weapons."
  • Audit Report - Cyber Security Risk Management Practice at the Southeastern, Southwestern, and Western Area Power Adminstrations, November 2008: "The Southeastern, Southwestern, and Western Area Power Administrations provide electrical power to customers in 29 states. To support this critical function, the Power Marketing Administrations (PMAs) utilize infornlation systems to conduct various activities, including financial management, marketing, and transferring wholesale electrical power across the Nation's electrical grids. In particular, Southwestern and Western operate supervisory control and data acquisition (SCADA) systems - systems
    critical to controlling the flow of electricity to the power grid. The power grids are part of the U.S. critical infrastructure. Interruptions in these control systems for an extended period could adversely impact the PMAs' customers."
  • November 17, 2008
    * Live Piracy Map 2008

    From the ICC Commercial Crime Services (CCS) - "the anti-crime arm of the International Chamber of Commerce": Live Piracy Map 2008 - "This map shows all the piracy incidents reported by the IMB Piracy Centre in Kuala Lumpur during 2008. Please click on the pins for more details of the specific incident or zoom in for more accurate location information."

    * Report: Online Threats to Youth: Solicitation, Harassment, and Problematic Content

    Online Threats to Youth: Solicitation, Harassment, and Problematic Content, Literature Review by the Research Advisory Board of the Internet Safety Technical Task Force, Andrew Schrock and Danah Boyd, Berkman Center for Internet & Society, Harvard University, Draft Version. November 14, 2008

  • "The goal of this literature review is to map out what is currently known about the risks youth face and the youth who face them to further discussions about online safety. We believe that the first step in helping youth is to understand the problems that are occurring. The best solutions will be those that address real dangers, real risks, and the interrelated dynamics that put youth at risk. We do not discuss potential solutions, but we feel as though the research described in this document is essential for those who are looking to develop solutions."
  • November 10, 2008
    * Worldwide Infrastructure Security Report 2008

    Worldwide Infrastructure Security Report, Volume III: "Arbor Networks®, Inc., in cooperation with the Internet security operations community, has completed the third edition of an ongoing series of annual operational security surveys. This survey, covering a 12-month period from July 2006 through June 2007, is designed to provide data useful to network operators so that they can make informed decisions about their use of network security technology to protect their mission-critical infrastructures. It is also meant to serve as a general resource for the Internet operations and engineering community, recording information on trends and employment of various infrastructure security techniques."

    * Spamalytics: An Empirical Analysis of Spam Marketing Conversion

    Spamalytics: An Empirical Analysis of Spam Marketing Conversion, October 2008 - Chris Kanich, Christian Kreibich, Kirill Levchenko, Brandon Enright, Geoffrey M. Voelker, Vern Paxson† Stefan Savage

  • "The “conversion rate” of spam — the probability that an unsolicited e-mail will ultimately elicit a “sale” — underlies the entire spam value proposition. However, our understanding of this critical behavior is quite limited, and the literature lacks any quantitative study concerning its true value. In this paper we present a methodology for measuring the conversion rate of spam. Using a parasitic infiltration of an existing botnet’s infrastructure, we analyze two spam campaigns: one designed to propagate a malware Trojan, the other marketing on-line pharmaceuticals. For nearly a half billion spam e-mails we identify the number that are successfully delivered, the number that pass through popular anti-spam filters, the number that elicit user visits to the advertised sites, and the number of “sales” and “infections” produced.
  • November 08, 2008
    * Identity Theft Resource Center 2008 Breach List

    News release: "The total number of breaches in on the Identity Theft Resource Center’s 2008 breach list surpassed the final total of 446 reported in 2007, more than 4 months before the end of 2008. As of 9:30 a.m. August 22nd, the number of confirmed data breaches in 2008 stood at 449. The actual number of breaches is most likely higher, due to under-reporting and the fact that some of the breaches reported, which affect multiple businesses, are listed as single events. In the last few months, two subcontractors became examples of these “multiple” events. In one case, the customers and/or employees of at least 20 entities were affected by a breach that the ITRC reported as a single breach event."

    October 23, 2008
    * Identity Management Task Force Report 2008

    Office of Science and Technology Policy (OSTP) in the Executive Office of the President - Identity Management Task Force Report 2008, released September 2008

  • "The Task Force’s scope was limited to federal government systems, with the full understanding that these systems frequently rely on and impact IdM systems beyond federal control. This report presents an overview of the current state of federal IdM systems and also presents a high-level vision of how these systems can be holistically designed to provide better services while increasing privacy protection. The purpose of this report is to initiate further discussion on this vision, inform policy decisions, and provide direction on which to base near-term research."
  • October 21, 2008
    * The President's Identity Theft Task Force Report, September 2008

    News release: "Attorney General Michael B. Mukasey and Federal Trade Commission Chairman William E. Kovacic announced today the release of a report from the President’s Identity Theft Task Force on progress the federal government has made in addressing identity theft since the Task Force’s Strategic Plan was released last year. Highlights of the report include expansion of the Task Force’s data security and identity theft business and consumer education campaigns; exploring means of improving consumer authentication processes to prevent the use of stolen information to commit identity theft; launching new initiatives to help identity theft victims recover; and improving law enforcement tools to investigate and prosecute identity thieves."

  • The President's Identity Theft Task Force Report (September 2008)
  • October 11, 2008
    * Fox News: World Bank Under Cyber Siege in 'Unprecedented Crisis'

    FOX News: "The World Bank Group's computer network — one of the largest repositories of sensitive data about the economies of every nation — has been raided repeatedly by outsiders for more than a year, FOX News has learned. It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution's highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank's network for nearly a month in June and July. In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month.

    In a frantic midnight e-mail to colleagues, the bank's senior technology manager referred to the situation as an "unprecedented crisis." In fact, it may be the worst security breach ever at a global financial institution. And it has left bank officials scrambling to try to understand the nature of the year-long cyber-assault, while also trying to keep the news from leaking to the public."

    October 10, 2008
    * Consumers Warned to Avoid Fake E-mails Tied to Bank Mergers

    News release: "Online scammers are taking advantage of tough economic times. While e-mails phishing for sensitive data are nothing new, scammers are taking advantage of upheavals in the financial marketplace to confuse consumers into parting with valuable personal information. The Federal Trade Commission urges caution regarding e-mails that look as if they come from a financial institution that recently acquired a consumer’s bank, savings and loan, or mortgage. In fact, these messages may be from “phishers” looking to use personal information – account numbers, passwords, Social Security numbers – to run up bills or commit other crimes in a consumer’s name. Consumers are warned not to take the bait. The FTC has advice about how to stay on guard against this type of scam. To learn more, see the consumer alert Bank Failures, Mergers and Takeovers: A ‘Phish-erman’s Special.

    October 09, 2008
    October 01, 2008
    * FTC's Cyber Security Site Gets an Upgrade

    News release: "The Federal Trade Commission’s Web site that helps consumers stay on guard against Internet fraud is revamping to provide extra tools for cyber safety. The FTC’s announcement of the newly designed and improved site comes on the first day of October, which is National Cyber Security Awareness Month. Since the September 2005 launch of www.OnGuardOnline.gov and its Spanish-language counterpart, www.AlertaEnLínea.gov, more than 8.1 million visitors have learned about computer security at these sites. Now, with the help of 22 federal agencies, industry organizations, and non-profit groups, the FTC has introduced a variety of new features to help consumers avoid Internet fraud, secure their computers, and protect their personal information...The articles, games, and videos on the site provide information on 16 topics, including social networking, phishing, spam scams, and laptop security."

    September 24, 2008
    * DOE IG: The Federal Energy Regulatory Commission's Unclassified Cyber Security Program - 2008

    The Federal Energy Regulatory Commission's Unclassified Cyber Security Program - 2008, DOE/IG-0802 September 2008

  • "The Commission had taken action to improve cyber security practices and implemented protective measures designed to defend its networks against malicious attackers and other external threats. Our evaluation, however, disclosed that additional actions are needed to
    reduce the risk of compromise to the Commission's business information systems and data to an acceptable level."
  • September 19, 2008
    * Bureau of Justice Statistics: Cybercrime Against Businesses, 2005

    Cybercrime against Businesses, 2005: "Presents the nature and prevalence of computer security incidents among 7,818 businesses in 2005. This is the first report to provide data on monetary loss and system downtime resulting from cyber incidents. It examines details on types of offenders, reporting of incidents to law enforcement, reasons for not reporting incidents, types of systems affected, and the most common security vulnerabilities. The report also compares in-house security to outsourced security in terms of prevalence of cyber attacks. Appendix tables include industry-level findings."

    September 16, 2008
    * New GAO Reports: Cyber Analysis and Warning, Critical Infrastructure Protection, Certifying Voting Systems
    • Cyber Analysis and Warning: DHS Faces Challenges in Establishing a Comprehensive National Capability, GAO-08-588, July 31, 2008
    • Critical Infrastructure Protection: DHS Needs to Better Address Its Cybersecurity Responsibilities, GAO-08-1157T, September 16, 2008
    • Critical Infrastructure Protection: DHS Needs to Fully Address Lessons Learned from Its First Cyber Storm Exercise, GAO-08-825, September 09, 2008
    • Environmental Health: EPA Efforts to Address Children's Health Issues Need Greater Focus, Direction, and Top-Level Commitment, GAO-08-1155T, September 16, 2008
    • Information Technology: Federal Laws, Regulations, and Mandatory Standards to Securing Private Sector Information Technology Systems and Data in Critical Infrastructure Sectors, GAO-08-1075R, September 16, 2008
    • Elections: Federal Program for Certifying Voting Systems Needs to Be Further Defined, Fully Implemented, and Expanded, GAO-08-814, September 16, 2008
    • Diversity Management: Important Actions Taken and Planned to Further Enhance Diversity, GAO-08-1160T, September 16, 2008
    • Digital Television Transition: Information on the Implementation of the Converter Box Subsidy Program and Consumer Participation in the Program, GAO-08-1161T, September 16, 2008
    • Diversity at GAO: Sustained Attention Needed to Build on Gains in SES and Managers, GAO-08-1156T, September 16, 2008
    • Diversity at GAO: Sustained Attention Needed to Build on Gains in SES and Managers, GAO-08-1098, September 10, 2008
    September 08, 2008
    * Remarks by Homeland Security Secretary Michael Chertoff at Brookings on the Nation’s Critical Infrastructure

    News release: "...today's topic is going to cover a different kind of vulnerability, not the vulnerability to identity but the vulnerability to the physical world in which we operate. That is our critical infrastructure. And I want in particular to talk about how these vulnerabilities look to me as we enter the 21st century, and what we have to do to reduce the risk to our critical infrastructure in the years to come."

  • Fact Sheet: Critical Infrastructure and Homeland Security Protection Accomplishments
  • September 03, 2008
    * CERT: Understanding Voice over Internet Protocol (VoIP)

    Cyber Security Tip ST05-018 - Understanding Voice over Internet Protocol (VoIP): "Because VoIP relies on your internet connection, it may be vulnerable to any threats and problems that face your computer. The technology is still new, so there is some controversy about the potential for attack, but VoIP could make your telephone vulnerable to viruses and other malicious code. Attackers may be able to perform activities such as intercepting your communications, eavesdropping, conducting effective phishing attacks by manipulating your caller ID, and causing your service to crash. Activities that consume a large amount of network resources, like large file downloads, online gaming, and streaming multimedia, will also affect your VoIP service."

    August 30, 2008
    * Threats to Internet Routing and Global Connectivity

    Threats to Internet Routing and Global Connectivity, 20th Annual FIRST Conference, Vancouver, British Columbia Canada, June 2008 (69 page presentation) includes discussion of the following topics:

    • Physical problems (Physical Infrastructure: Natural, accidental or intentional destruction)
        Earthquakes, Anchors/Backhoes, Hurricanes
    • Routing Vulnerabilities (Logical Infrastructure: if routers cannot direct traffic appropriately, the Internet is broken.)
        Misconfigurations, hijacks, attacks
    • Business Conflicts (Competitors might not want to exchange traffic.)
        De-peerings
    August 26, 2008
    * Steady Increase in IDThefts Recorded So Far For 2008

    News release: "Today, the total number of breaches in on the Identity Theft Resource Center’s (ITRC) 2008 breach list surpassed the final total of 446 reported in 2007, more than 4 months before the end of 2008. As of 9:30 a.m. August 22nd, the number of confirmed data breaches in 2008 stood at 449. The actual number of breaches is most likely higher, due to under-reporting and the fact that some of the breaches reported, which affect multiple businesses, are listed as single events. In the last few months, two subcontractors became examples of these “multiple” events. In one case, the customers and/or employees of at least 20 entities were affected by a breach that the ITRC reported as a single breach event....Breaches: 449 Exposed: 22,091,338."

    August 19, 2008
    * Secretary Chertoff Addresses Secure Identity Challenges

    News release: "Secretary Chertoff spoke on the balance between privacy and secure identity August 13 at the University of Southern California National Center for Risk and Economic Analysis of Terrorism Events. He addressed crimes involving identity theft, and talked about identity validation and authentication, the associated financial costs, the effect on illegal workers, the universe of tools available for identity management, and possible solutions that address the concerns of privacy advocates."

    August 12, 2008
    * Study: State AGs Fail to Adequately Protect Online Consumers

    News release: "State attorneys general received thousands of consumer complaints of online fraud and abuse in 2006 and 2007 and yet, with the exception of several notable standouts, brought few significant cases in response, according to a report released today from the Center for American Progress and the Center for Democracy and Technology, Online Consumers at Risk and the Role of State Attorneys General."

    * Google Reports Virus Email Activity At All Time High In July 2008

    Official Google Enterprise Blog: "In July, our Postini datacenters saw the biggest volume of email virus attacks so far in 2008, with a peak of nearly 10 million messages on July 24. One of the more prominent attacks in the month involved a spoofed UPS package-tracking link that was intended to lure recipients into clicking on it and downloading malware. Our zero-hour virus protection technology first started catching these emails on July 20."

    July 22, 2008
    * FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management

    M-08-21, FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (July 14, 2008) (43 pages)

      "Agencies should also submit their most current documentation related to OMB Memorandum M-07-16, of May 22, 2007, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, This information should be provided in an appendix to your annual report and include the following items for your agency:
    • Breach notification policy
    • Implementation plan and progress update on eliminating unnecessary use of Social Security Numbers (SSN);
    • Implementation plan and progress update on review and reduction of holdings of personally identifiable information (PII); and
    • Policy outlining rules of behavior and identifying consequences and corrective actions available for failure to follow these rules."

    July 14, 2008
    * FTC Issues Staff Report on Roundtable Discussion About Phishing Education

    News release: "The Federal Trade Commission today released a staff report on a Roundtable Discussion on Phishing Education that it hosted in April. Approximately 60 experts from business, government, the technology sector, the consumer advocacy community, and academia met at the FTC to discuss strategies for outreach to consumers about avoiding phishing. Phishers use deceptive spam that appears to come from legitimate, well-known sources to trick consumers into divulging sensitive or personal information, such as credit account numbers or passwords, often through a link to a copycat of the purported source’s Web site."

  • Roundtable Discussion On Phishing Education: A Staff Report By the Federal Trade Commission’s Division of Consumer and Business Education and Division of Marketing Practices (July 2008)
  • July 08, 2008
    * ‘Red Flag’ Regulations Require Financial Institutions and Creditors to Have Identity Theft Prevention Programs

    Federal Trade Commission: "Financial institutions and creditors are now required to develop and implement written identity theft prevention programs under the new Red Flags Rules.

    The Red Flags Rules are part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. Under these Rules, financial institutions and creditors with covered accounts must have identity theft prevention programs in place by November 1, 2008, to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.

    The Commission staff is launching an outreach effort to explain the Rules in greater detail. It has now published a general alert on what the Rules require, and, in particular, an explanation of which businesses - financial institutions and creditors - are covered by the Rules."

    July 03, 2008
    * FTC Will Study Experiences of Identity Theft Victims

    News release: "The Federal Trade Commission plans to study the experiences of identity theft victims by conducting a survey of consumers who contacted the FTC after they were victimized. The proposed survey will examine the remedies available to victims under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Among other things, the FACT Act gave consumers the right to place fraud alerts on their credit files if they are, or suspect they may become, victims of identity theft; block information on their credit reports that resulted from identity theft; and obtain copies of their credit reports free of charge. The survey will seek information from identity theft victims who contacted the FTC between January 1 and May 30, 2008, and will inquire about their experiences when they contacted one or more credit reporting agencies and when they sought to use their FACT Act rights. The survey results will help guide the FTC’s efforts to enforce the law and educate consumers and the consumer reporting industry about their rights and duties."

  • ID Theft Proposed Survey
  • July 01, 2008
    * Identity Theft Resource Center 2008 Breach Report

    News release: "The ITRC Breach Report total has reached an all-time high. Between January 1st and June 27th, the total number of data breaches recorded by the ITRC is 342, more than 69% greater than the same time period in 2007. The actual number of breaches is likely even higher, due to underreporting and the fact that some of the breaches reported as a single event actually affected multiple businesses.

    The ITRC Breach Report sub-divides all breaches into five categories. To date, the 2008 ITRC Breach Stats Report indicates the following: 17.0% government/military agencies, 21.3% from educational institutions, 36.8% from general businesses, 14.9% from health care facilities / companies, and 10% from banking / credit / financial services entities.

    Click here for the 2008 ITRC Breach report. Click here for the 2008 ITRC Breach Stats Report broken down by categories which includes the percentages for each category (business, financial/credit, educational, governmental/military and health care). Please check regularly as this list is updated weekly.

    June 18, 2008
    * New GAO Reports: Afghanistan Security, Homeland Security, Federal Agency Privacy Officers, Privacy of Citizen Personal Data
    • Afghanistan Security: Further Congressional Action May Be Needed to Ensure Completion of a Detailed Plan to Develop and Sustain Capable Afghan National Security Forces, GAO-08-661, June 18, 2008
    • Afghanistan Security: U.S. Efforts to Develop Capable Afghan Police Forces Face Challenges and Need a Coordinated, Detailed Plan to Help Ensure Accountability, GAO-08-883T, June 18, 2008
    • Architect of the Capitol: Progress in Improving Energy Efficiency and Options for Decreasing Greenhouse Gas Emissions, GAO-08-917T, June 18, 2008
    • Financial Audit: Material Weaknesses in Internal Control over the Processes Used to Prepare the Consolidated Financial Statements of the U.S. Government, GAO-08-748, June 17, 2008
    • Homeland Security: The Federal Protective Service Faces Several Challenges That Hamper Its Ability to Protect Federal Facilities, GAO-08-683, June 11, 2008
    • Homeland Security: The Federal Protective Service Faces Several Challenges That Raise Concerns About Protection of Federal Facilities, GAO-08-914T, June 18, 2008
    • Privacy: Agencies Should Ensure That Designated Senior Officials Have Oversight of Key Functions, GAO-08-603, May 30, 2008
    • Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information, GAO-08-536, April 19, 2008
    • Privacy: Congress Should Consider Alternatives for Strengthening Protection of Personally Indentifiable Information, GAO-08-795T, June 18, 2008
    June 14, 2008
    * PC World Guide to Protecting Your Identity Online

    A Guide to Protecting Your Identity Online, Rosemary Haworth, PC Advisor

    June 13, 2008
    * Identity Theft: The Aftermath 2007

    Identity Theft: The Aftermath 2007. Conducted by the Identity Theft Resource Center® (ITRC) With comparisons to The Aftermath 2003, 2004, 2005, 2006 Surveys.

    * FTC Testifies on Spyware

    News release: "The Federal Trade Commission...told the Senate Committee on Commerce, Science, and Transportation that “legislation authorizing the Commission to seek civil penalties in spyware cases could add a potent remedy to those otherwise available to the Commission.” In testimony to the Committee, Eileen Harrington, Deputy Director of the FTC’s Bureau of Consumer Protection, said that when other enforcement options – seeking consumer redress or making the operators give up their ill-gotten gains – are not appropriate or sufficient remedies to deter spyware distributors, “a civil penalty may be the most appropriate remedy and serve as a strong deterrent.” The testimony states that the agency supports legislation that would provide “the Commission this valuable law enforcement tool.”

    June 10, 2008
    * Social Security Administration's Internal Use of Employees' Social Security Numbers

    OIG: The Social Security Administration's Internal Use of Employees' Social Security Numbers. A-13-07-27164 06/09/08

  • "The Social Security number (SSN) was created in 1936 as a means of tracking workers’ earnings and eligibility for Social Security benefits. Nevertheless, the SSN has become a de facto national identifier used by Federal agencies, State and local governments, and private organizations. The expanded use of the SSN as a national identifier provides a tempting motive for unscrupulous individuals to acquire and use it for illegal purposes."
  • * Working Paper: Do Data Breach Disclosure Laws Reduce Identity Theft?

    Do Data Breach Disclosure Laws Reduce Identity Theft? Sasha Romanosky, Rahul Telang, Alessandro Acquisti, Heinz School of Public Policy and Management, Carnegie Mellon University

  • "Identity theft resulted in corporate and consumer losses of $56 billion dollars in 2005, with about 30% of known identity thefts caused by corporate data breaches. Many US states have responded by adopting data breach disclosure laws that require firms to notify consumers if their personal information has been lost or stolen. While the laws are expected to reduce losses, their full effects have yet to be empirically measured. We use a panel from the US Federal Trade Commission with state and time fixed-effects regression to estimate the impact of data breach disclosure laws on identity theft over the years 2002 to 2006. We find no statistically significant effect that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce. If the probability of becoming a victim conditional on a data breach is very small, then the law’s maximum effectiveness is inherently limited. Quality of data and the possibility of reporting bias also make proper identification difficult. However, we appreciate that these laws may have other benefits such as reducing a victim’s average losses and improving a firm’s security and operational practices."

  • June 08, 2008
    * Akamai Technologies Releases Annual State of the Internet Report

    Akamai, 1st Quarter 2008 - The State of the Internet Report.

    "During the first quarter, Akamai observed attack traffic originating from 125 unique countries around the world. China and the United States were the two largest attack traffic sources, accounting for some 30% of this traffic in total. Akamai observed attack traffic targeted at 23 unique network ports. Many of the ports that saw the highest levels of attack traffic were targeted by worms, viruses, and bots that spread across the Internet several years ago. A number of major network “events” occurred during the first quarter that impacted millions of Internet users. Cable cuts in the Mediterranean Sea severed Internet connectivity between the Middle East and Europe, drastically slowing communications. Cogent’s de-peering of Telia
    impacted Internet communications for selected Internet users in the United States and Europe for a two-week period. A routing change by Pakistan Telecom that spread across the Internet essentially took YouTube, a popular Internet video sharing site, offline for several hours.

    May 24, 2008
    * Google Safe Browsing Diagnositic Tool

    Via Google Blogoscoped, "Google [has a] malware diagnosis service; just append any domain – your domain or another site you want to check on – to the end of the URL google.com/safebrowsing/diagnostic?site=, or paste a domain in the box below, and you will find an overview page listing potential problems like trojans or exploits (or the result may be telling you the site is OK)."

    May 23, 2008
    * FERC Chairman Testifies on Implications of Cyber Vulnerabilities on the Resiliency and Security of the Electric Grid Event

    Chairman Kelliher testified before the House Homeland Security Committee, Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology on Implications of Cyber Vulnerabilities on the Resiliency and Security of the Electric Grid

  • "The Congress made FERC responsible for overseeing the reliability of the bulk power system, but it provided specific restrictions on the procedures to be used to develop and put into effect mandatory reliability standards. [Section 215 of the Federal Power Act] is an adequate basis to protect the bulk power system against most reliability threats, and for that reason I do not believe there is a need to amend section 215. However, I believe a different statutory mechanism is needed to protect the grid against cyber security threats, given the nature of these threats."

  • May 06, 2008
    * Yahoo Announces Search Feature to Fight Malware

    Yahoo Search Blog: "Today, we're announcing the beta release of SearchScan, a new feature from Yahoo! Search that helps protect users from viruses, spyware and spam. We've heard from users that security and privacy continue to be major concerns when they are online. We've also learned that solutions that require downloads and constant updating are less than ideal. To tackle the problem, we partnered with McAfee to build a feature that provides a safer and hassle-free search experience to all users...How does it work? SearchScan leverages McAfee's SiteAdvisor technology to alert users if risky websites appear in Yahoo! Search results. Starting today, SearchScan will be turned on by default for all users in the U.S., Canada, UK, France, Italy, Germany, Australia, New Zealand, and Spain..."

    April 27, 2008
    * EU Backs Criminalizing Posting Bomb Making Instructions on Web

    European Digital Rights: "The European Ministers of Justice and Internal Affairs have agreed to make publishing bomb-making instructions on the Internet a crime...Justice and interior ministers from the EU member states backed a proposal from Commissioner Frattini to harmonise the normative acts that will make the "public provocation to commit a terrorist offence, recruitment, and training for terrorism" a crime. According to the statements of the EU officials publishing these acts on the Internet completed the European legislation in this domain. They described the Internet as "a virtual training camp for militants, used to inspire and mobilise local groups." Gilles de Kerchove, the EU anti-terrorism co-ordinator, declared that there are approx. 5,000 websites that are used to radicalise young people."

    April 26, 2008
    * International Privacy Officials Recommend Social Networking Privacy Safeguards

    EPIC: "The International Working Group On Data Protection in Telecommunications has released a report and guidance (pdf) on privacy in social networking services. The report identifies risks to privacy and security, and provides guidance to regulators, service operators and users to counter these risks. Risks include the large amount of data collection; the misuse of profile data by third parties; insecure infrastructure and application programming interfaces. Regulators should ensure openness, and oblige data breach notification. Providers must be transparent; live up to promises made to users; and use privacy friendly defaults. Privacy and consumer groups are also
    recommended to raise the awareness of regulators, providers and the general public."

  • Report and Guidance on Privacy in Social Network Services - ”Rome Memorandum” - 43rd meeting, 3-4 March 2008, Rome (Italy)

  • A brochure containing all documents adopted by the International Working Group until 2006 (in German and English) is available for download here.
  • April 18, 2008
    * Journal of Public Inquiry Fall/Winter 2007-2008

    The Inspectors General, Journal of Public Inquiry Fall/Winter 2007/08 (96 pages, PDF)

  • "The Journal is a semiannual publication of the President’s Council on Integrity and Efficiency (PCIE) and the Executive Council on Integrity and Efficiency (ECIE), which together includes 64 statutory Inspectors General who oversee stewardship in the federal government..We are pleased to present over a dozen entries ranging from essays, speeches and Georgetown University capstone papers. The entries encompass themes ranging from audit advisory committees, the
    role of inspectors general in Eastern Europe, pubic integrity and the importance of identity protection. The highlighted article in this version of the Journal is entitled, “Sunshine is the Best Antiseptic,” and outlines the work that the IG Community has done to improve transparency in government and identifies the challenges that lie ahead."
  • April 08, 2008
    * Treasury OIG Audit: Inadequate Security Controls Over Routers and Switches Jeopardize Sensitive Taxpayer Information

    Inadequate Security Controls Over Routers and Switches Jeopardize Sensitive Taxpayer Information, March 26, 2008. Reference Number: 2008-20-071

  • "Because the IRS sends sensitive taxpayer and administrative information across its networks, routers on the networks must have sufficient security controls to deter and detect unauthorized use. Access controls for IRS routers were not adequate, and reviews to monitor security configuration changes were not conducted to identify inappropriate use. A disgruntled employee, contractor, or hacker could reconfigure routers and switches to disrupt computer operations and steal taxpayer information in a number of ways, including diverting information to unauthorized systems."
  • April 03, 2008
    * FBI: Reported Dollar Loss from Internet Crime Reaches All-Time High

    News release: "According to the 2007 Internet Crime Report, the Internet Crime Complaint Center (IC3) received 206,884 complaints of crimes perpetrated over the Internet during 2007. Of the complaints received, more than 90,000 were referred to law enforcement around the nation, amounting to nearly $240 million in reported losses. This represents a $40 million increase in reported losses from complaints referred to law enforcement in 2006. All complaints received by IC3 are accessible to federal, state, and local law enforcement to support active investigations, trend analysis, and public outreach and awareness efforts."

    * New FTC Videos Help Consumers Spot Phishing Scams

    News release: "The Federal Trade Commission has released three 60-second videos to help alert consumers to phishing scams. Phishing uses deceptive spam to trick consumers into divulging sensitive or personal information, including credit card numbers and other financial data, through an email or a link to a “copycat” site. The goal of the videos is to offer practical, useful, and memorable messages. The videos are the newest tool on OnGuardOnline.gov, the agency’s multimedia initiative to help consumers be on guard against Internet fraud, secure their computers, and protect their personal information. The award-winning site features tips, articles, how-to videos, interactive quizzes, and tutorials in English and Spanish. The new videos also will be featured on YouTube and on the FTC Web site here."

    April 01, 2008
    * Cybercrime Legislation: EU Country Profiles

    Cybercrime Legislation - Country profiles: "These profiles have been prepared within the framework of the Council of Europe’s Project on Cybercrime in view of sharing information on cybercrime legislation and assessing the current state of implementation of the Convention on Cybercrime under national legislation. They do not necessarily reflect official positions of the countries covered or of the Council of Europe."

  • Octopus Interface 2008 - Cooperation against Cybercrime,
    Tuesday 1 - Wednesday 2 April 2008, Council of Europe, Strasbourg, France. "The 2008 Conference will focus on the cooperation between service providers and law enforcement, the state of cybercrime legislation and the effectiveness of international cooperation. In the face of the increasing vulnerability of societies to the threat of cybercrime the Conference provides a platform for enhancing cooperation among key stakeholders from around the world."
  • March 30, 2008
    * DHS Releases Privacy Technology Implementation Guide and Incident Handling Guidance

  • Privacy Technology Implementation Guide (PTIG), August 2007 (PDF, 36 pages): "The Privacy Office developed a new general guide for technology managers and developers to integrate privacy protections into operational IT systems. This new guide, the Privacy Technology Implementation Guide (PTIG) combines elements of privacy protection from disparate privacy compliance requirements, as well as a administrative policies and procedures into a single document, contextualized for managers and developers of operational systems. The PTIG is designed to allow each Component the flexibility to adapt privacy considerations to the way that Component does business while retaining a common DHS approach. The result is a new guide that provides early awareness of privacy issues and the aspects of systems that can be managed and developed to address privacy issues and streamline the process of complying with existing privacy protection requirements."
  • Privacy Incident Handling Guidance (PIHG), September 2007 (PDF, 109 pages): "The Department of Homeland Security (DHS) has a duty to safeguard personally identifiable information (PII) in its possession and to prevent the breach of PII in order to maintain the public’s trust. The Privacy Incident Handling Guidance (PIHG) serves this purpose by informing DHS organizations, employees, senior officials, and contractors of their obligation to protect PII and by establishing procedures delineating how they must respond to the potential loss or compromise of PII."
      Additional documents from the DHS Privacy Policy Guidance, Action Memorandum released:
    1. Attachment 2: Protecting & Handling Personnel-Related Data – Quick Reference Guide (PDF, 2 pages)
    2. Attachment 3: Verification and Confirmation Memorandum Templates (Self-Assessment and Training Certifications), (PDF, 2 pages)
    3. Attachment 4: DHS Employee Communication from Scott Charbo and Maureen Cooney regarding Data Security and Privacy, June 8, 2006 (PDF, 2 pages)
    4. Attachment 6: OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007 (PDF, 22 pages)
  • March 27, 2008
    * FTC Announces Settlement of Action Against Data Brokers Reed Elsevier and Seisint for Failing to Provide Adequate Security for Consumers' Data

    News release: "In the FTC’s action against data brokers Reed Elsevier (REI) and Seisint, the complaint alleges that REI - through its LexisNexis data broker business - and Seisint collect and store in databases information about millions of consumers, including names, current and prior addresses, dates of birth, drivers license numbers and Social Security numbers. They obtain information about consumers from credit reporting agencies and other sources, and sell products customers use online to find and retrieve the information from their databases. The companies relied on user IDs and passwords (or “user credentials”) to control customer access to consumer information in their databases."

  • In the Matter of Reed Elsevier Inc. and Seisint, Inc., FTC File No. 052-3094
  • March 25, 2008
    * The Financial Action Task Force Issues Terrorist Financing Report

    "The Financial Action Task Force (FATF) is an inter-governmental body whose purpose is the development and promotion of national and international policies to combat money laundering and terrorist financing."

  • FATF Terrorist Financing Report, March 14, 2008 (37 pages, PDF): "This study examines the means used by terrorists to raise funds and the wide variety of methods used to move money within and between organisations. The adaptability and opportunism shown by terrorist organisations suggests that all the methods that exist to move money around the globe are to some extent at risk."
  • March 22, 2008
    * Bank Tech Spending in 2008

    Exclusive TowerGroup Research Report: Bank Tech Spending in 2008: "Though banks’ IT budgets are likely to shrink if economic conditions worsen, demand for technologies that improve efficiency and integration, client engagement, and security and fraud management will continue, according to TowerGroup research."

    March 18, 2008
    * DOE OIG Audit Report: Management of the Department's Publicly Accessible Websites

    U.S. Department of Energy, Office of Inspector General, Office of Audit Services, Audit Report, Management of the Department's Publicly Accessible Websites, March 2008.

      "Our audit identified several opportunities to improve the security and management of the Department's publicly accessible websites. Specifically:
    • We identified over 50 significant cyber security incidents in the last three fiscal years, about half involving the defacement of web pages, which, in our judgment, could have been prevented had proper security controls been in place;
    • Content on publicly accessible web servers was not always controlled and reviewed periodically, contributing to an additional eight incidents which involved the exposure of personally identifiable information to unauthorized or malicious sources; and,
    • Most of the organizations reviewed also had not incorporated
      contingency/emergency planning features, provided accessibility for individuals with disabilities, and/or disabled unneeded computer services for their publicly accessible websites - factors that decreased the utility and increased the risk of malicious damage to those websites.

    * Study of Worldwide Airports Reveals Wireless Security Risks for Travelers and Airport Operations

    Press release: "...AirTight® Networks, the global leader for wireless intrusion prevention systems...issued the findings from its study to assess information security risk exposure of laptop users at fourteen airports in the United States, Canada and Asia. The company set out to understand the risks to business travelers and their corporate networks of data leakage while those airline passengers are sending sensitive information using unsecured wireless access points while at the airports. It found surprising results, however, regarding the security posture of private Wi-Fi networks in these airports as well as the rapid spread of viral Wi-Fi networks.

    One of the most surprising findings of this initial study was that some ticketing systems, baggage systems, shops and restaurants were using open or poorly secured wireless networks. Of the Wi-Fi networks detected by AirTight researchers, 77 percent were non-hotspot (i.e. private) networks and of those, 80 percent were unsecured or using legacy WEP encryption, a fatally flawed protocol. Based on detailed analysis of these access points, there is a high probability that some of these networks are used for critical airport logistics and operations. The consequences of this lack of security could result in disruption of baggage or passenger ticketing systems."

    March 10, 2008
    * DHS Fact Sheet: Cyber Storm II National Cyber Exercise

    DHS Fact Sheet: Cyber Storm II National Cyber Exercise - "In March 2008, the Department of Homeland Security’s National Cyber Security Division (NCSD) will sponsor its second large-scale national cyber exercise, Cyber Storm II. Planned in close coordination with and driven by its stakeholders and participants, the exercise will center on a cyber-focused scenario that will escalate to the level of a cyber incident requiring a coordinated Federal response. Exercises such as Cyber Storm II are critical in maintaining and strengthening cross-sector, inter-governmental and international relationships, enhancing processes and communications linkages, as well as ensuring continued improvement to cyber security procedures and processes. Cyber Storm II is part of Homeland Security's ongoing risk-based management effort to use exercises to enhance government and private sector response to a cyber incident, promote public awareness, and reduce cyber risk within all levels of government and the private sector."

    March 06, 2008
    * HHS OIG: Proposed Revisions to Existing Privacy Act Systems of Records: Federal Register Notice

    HSS Office of Inspector General Privacy Act of 1974; Revisions to OIG’s Privacy Act System of Records: Criminal Investigative Files, Federal Register, March 4, 2008.

  • Action: Notice of proposed revisions to existing Privacy Act systems of records. OIG has reviewed and is now proposing to revise the criminal investigative file system of records by (1) amending the "Routine Uses of Records Maintained in the System" section by adding a new paragraph o. to address the requirement for a routine use for the disclosure of information in the investigation of data breaches of
    Personally Identifiable Information, in accordance with Office of Management and Budget Memorandum M–07–16; and (2) amending the "Policies and Practices for Storing, Retrieving, Reviewing, Retaining, and Disposing of Records in the Storage System" portion of the system of records to update the discussion on access methods for the mainframe and the storage location of data so that it is consistent with current technology."
  • March 02, 2008
    * Measuring Identity Theft at Top Banks (Version 1.0)

    Chris Hoofnagle, Measuring Identity Theft at Top Banks (Version 1.0) February 26, 2008. Berkeley Center for Law and Technology. Law and Technology Scholarship (Selected by the Berkeley Center for Law & Technology). Paper 44.

  • "There is no reliable way for consumers, regulators, and businesses to assess the relative incidence of identity fraud at major financial institutions. This lack of information prevents more vigorous competition among institutions to protect account holders from identity theft. As part of a multiple strategy approach to obtaining more actionable data on identity theft, the Freedom of Information Act was used to obtain complaint data submitted by victims in 2006 to the Federal Trade Commission. This complaint data identifies the institution where impostors established fraudulent accounts or affected existing accounts in the name of the victim. The data show that some institutions have a far greater incidence of identity theft than others. The data further show that the major telecommunications companies had numerous identity theft events, but a metric is lacking to compare this industry with the financial institutions. This is a first attempt to meaningfully compare institutions on their performance in avoiding identity theft. This analysis faces several challenges that are described in the methods section."
  • * Data Breach Notification Laws, State By State

    Data Breach Notification Laws, State By State, by Scott Berinato, "More than five years after California's seminal data breach disclosure law, SB 1386, was enacted, not all states have followed suit. Eleven states still have not passed laws mandating that companies notify consumers when that company has lost the consumer's personal data. One state, Oklahoma, does have a breach notification law, but it only applies to state entities that have lost data. That leaves 38 states that have enacted some sort of breach disclosure law. This map will help you sort them out."

    March 01, 2008
    * EU Safer Internet Plus Programme

    "The Safer Internet plus programme aims to promote safer use of the Internet and new online technologies, particularly for children, and to fight against illegal content and content unwanted by the end-user, as part of a coherent approach by the European Union."

  • Make the internet a safer place, February 2008: While the international context is complex, the EU has set certain standards across Europe, clarifying many legal issues. The internet related issues, however, cannot be tackled by legal measures alone, and are generally greater than parents realise. With broadband access growing – both via PCs and ‘third generation’ (3G) mobile phones – and as the internet becomes an increasingly important part of children’s lives, these figures are not likely to become less disturbing without
    concerted action."
  • February 25, 2008
    * Snowe Introduces Bi-Partisan Legislation Aimed at Protecting Nation's Internet Users

    News release: "A bi-partisan group of Senators from the Commerce, Science and Transportation Committee led by U.S. Senators Olympia J. Snowe (R-Maine), Bill Nelson (D-Florida) and the Committee’s Ranking Member Ted Stevens (R-Alaska), introduced today bi-partisan legislation aimed at ending the deceptive practice known as phishing. The Anti-Phishing Consumer Protection Act of 2008 would prohibit phishing – the deceptive solicitation of a consumer’s personal information through the use of emails, instant messages, and misleading websites that trick recipients into divulging their information for the purpose of identity theft. The legislation would also prohibit related abuses, such as the practice of using fraudulent or misleading domain names, by defining them as deceptive practices under the FTC Act."

    February 24, 2008
    * Research Paper: Cold Boot Attacks on Encryption Keys

    Lest We Remember: Cold Boot Attacks on Encryption Keys, J. Alex Haldermany, Seth D. Schoenz, Nadia Heningery, William Clarksony, William Paulx, Joseph A. Calandrinoy, Ariel J. Feldmany, Jacob Appelbaum, and Edward W. Felteny. Princeton University, Electronic Frontier Foundation, Wind River Systems. February 21, 2008.

    • Introductory blog post

    • Frequently asked questions

    • Experiment guide

    • Videos and images

    • Abstract: "Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at room temperature and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount successful attacks on popular disk encryption systems using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them."

    February 13, 2008
    * FTC Releases List of Top Consumer Fraud Complaints in 2007

    "The FTC today released the list of top consumer fraud complaints received by the agency in 2007. The list, contained in the publication Consumer Fraud and Identity Theft Complaint Data January-December 2007, showed that for the seventh year in a row, identity theft is the number one consumer complaint category. Of 813,899 total complaints received in 2007, 258,427, or 32 percent, were related to identity theft.

    The report breaks out complaint data on a state-by-state basis and also contains data about the 50 metropolitan areas reporting the highest per capita incidence of fraud and the 50 metropolitan areas reporting the highest incidence of identity theft.

    The report states that credit card fraud was the most common form of reported identity theft at 23 percent, followed by utilities fraud at 18 percent, employment fraud at 14 percent, and bank fraud at 13 percent.

    Consumers reported fraud losses totaling more than $1.2 billion; the median monetary loss per person was $349, the report states.


    February 11, 2008
    * Educational Security Incidents (ESI) Year in Review - 2007

    Educational Security Incidents (ESI) Year in Review - 2007: "By Adam Dodge - Posted on February 10, 2008: "The ESI Year in Review - 2007 examines all of the information security incidents occurring at colleges and universities around the world as reported in the news during 2007. 2007 marked a significant change for information security incidents reported in the news. Among the changes are an increase in both the number of incidents reported and the number of institutions reporting a breach as well as the addition to new categories such as incident type "Employee Fraud" and information type "Username and Password".

    February 10, 2008
    * One person in eight in the EU27 avoids e-shopping because of security concerns

    Press release: "In connection with the 5th Safer Internet Day1 on 12 February 2008, Eurostat, the Statistical Office of the European Communities, presents a selection of statistics concerning internet activities, security concerns and virus attacks. The Safer Internet Day is part of a global drive to promote a safer Internet for all users, in particular younger people, and is organised by Insafe, a European internet safety network co-funded by the European Commission...In the EU27 in 2007, nearly a quarter of internet users had had a computer virus in the preceding 12 months, which resulted in a loss of information or time. Virus attacks were most frequent in Lithuania (41% of users), Slovenia (35%) and Malta (34%) and least common in the Czech Republic (7%), Estonia (15%) and Sweden (16%)."

    February 06, 2008
    * Cisco Study on Remote Workers Reveals Need for Greater Diligence Toward Security

    "Cisco® today announced key findings from its annual global study on remote workers' security awareness and online behavior, indicating how they can inadvertently heighten risks for themselves and the companies they work for. The study's findings are prompting Cisco security executives to offer recommendations to information technology (IT) professionals on how to protect their companies against threats and maximize the business benefits of distributed and mobile workforces."

    February 05, 2008
    * DNI Statement for the Record - Senate Intelligence Committee Hearing

    Annual Threat Assessment of the Director of National Intelligence for the Senate Select Committee on Intelligence, February 5, 2008, J. Michael McConnell, Director of National Intelligence (47 pages, PDF).

  • "You will see from the testimony that many of the key topics I touch on are not traditional “national security” topics. Globalization has broadened the number of threats and challenges facing the United States. For example, as government, private sector, and personal activities continue to move to networked operations and our digital systems add ever more capabilities, our vulnerability to penetration and other hostile cyber actions grows. The nation, as I indicated last year, requires more from our Intelligence Community than ever before and consequently we need to do our business better, both internally, through greater collaboration across disciplines and externally, by engaging more of the expertise available outside the Intelligence Community."
  • February 04, 2008
    * FBI Identifies Recurring Fraudulent E-mail Scam

    Press release: "The FBI has recently developed information indicating cyber criminals are attempting to once again send fraudulent e-mails to unsuspecting recipients stating that someone has filed a complaint against them or their company with the Department of Justice or another organization such as the Internal Revenue Service, Social Security Administration, or the Better Business Bureau."
    Related resources:

  • FBI's New E-Scams & Warnings website

  • The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C).
  • February 01, 2008
    * Privacy Rights Clearinghouse: A Chronology of Data Breaches

    A Chronology of Data Breaches, updated January 30, 2008

    January 31, 2008
    * Minimizing the Effect of Malware on Your Computer: FTC Offers Information on Protecting, Reclaiming Your Computer

    "Criminals are hard at work thinking up creative ways to get malware on your computer, warns the Federal Trade Commission. With appealing Web sites, desirable downloads, and compelling stories, these criminals try to lure consumers to links that will download malware, especially on computers that don’t use adequate security software. Then, they use the malware – malicious software – to steal personal information, send spam, and commit fraud. A new publication from the FTC has information that could help consumers protect their computers against malware and reclaim their computer and electronic information if malware is already on their computer. The publication, Minimizing the Effects of Malware, provides tips on spotting malware, and urges consumers to act immediately if they suspect their computer is affected by malware."

    January 19, 2008
    * FERC Approves New Reliability Standards for Cyber Security

    "The Federal Energy Regulatory Commission (FERC) approved eight new mandatory critical infrastructure protection (CIP) reliability standards to protect the nation’s bulk power system against potential disruptions from cyber security breaches. These reliability standards were developed by the North American Electric Reliability Corporation (NERC), which FERC has designated as the electric reliability organization (ERO)...The final rule, Mandatory Reliability Standards for Critical Infrastructure Protection, takes effect 60 days from the later of either the date Congress receives the agency notice of the rule, or the date the rule is published in the Federal Register."

    The eight CIP reliability standards address the following topics:
    * Critical Cyber Asset Identification;
    * Security Management Controls;
    * Personnel and Training;
    * Electronic Security Perimeters;
    * Physical Security of Critical Cyber Assets;
    * Systems Security Management;
    * Incident Reporting and Response Planning; and
    * Recovery Plans for Critical Cyber Assets.

    January 18, 2008
    * SANS Reports CIA Confirms Cyber Attack Caused Multi-City Power Outage

    SANS NewsBites - Volume: X, Issue: 5

  • "On Wednesday, in New Orleans, US Central Intelligence Agency senior analyst Tom Donahue told a gathering of 300 US, UK, Swedish, and Dutch government officials and engineers and security managers from electric, water, oil & gas and other critical industry asset owners from all across North America, that "We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."
  • * USA*Engage and NFTC Call SEC's Activity on Enhanced Access to Company Disclosures 'Inappropriate'

    Press release: "USA*Engage and the National Foreign Trade Council (NFTC) today sent formal comments to the U.S. Securities and Exchange Commission (SEC), recommending that the Commission reconsider its proposal to further develop mechanisms to facilitate greater access to companies’ disclosures concerning their business activities in or with certain countries designated as “state sponsors of terrorism.” In comments sent to the SEC, the associations noted that U.S. companies operating in such countries are conducting legal, legitimate business, and that the proposed mechanism actually punishes those companies who are most transparent."

    January 12, 2008
    * Keep Your Enemies Close: Distance Bounding Against Smartcard Relay Attacks

    Keep Your Enemies Close: Distance Bounding Against Smartcard Relay Attacks, by Saar Drimer and Steven J. Murdoch, Computer Laboratory, University of Cambridge

  • "Modern smartcards, capable of sophisticated cryptography, provide a high assurance of tamper resistance and are thus commonly used in payment applications. Although extracting secrets out of smartcards requires resources beyond the means of many would-be thieves, the manner in which they are used can be exploited for fraud. Cardholders authorize financial transactions by presenting the card and disclosing a PIN to a terminal without any assurance as to the amount being charged or who is to be paid, and have no means of discerning whether the terminal is authentic or not. Even the most advanced smartcards cannot protect customers from being defrauded by the simple relaying of data from one location to another. We describe the development of such an attack, and show results from live experiments on the UK’s EMV implementation, Chip & PIN. We discuss previously proposed defences, and show that these cannot provide the required security assurances. A new defence based on a distance bounding protocol is described and implemented, which requires only modest alterations to current hardware and software. As far as we are aware, this is the first complete design and implementation of a secure distance bounding protocol. Future smartcard generations could use this design to provide cost-effective resistance to relay attacks, which are a genuine threat to deployed applications. We also discuss the security-economics impact to customers of enhanced authentication mechanisms."

  • January 02, 2008
    * Open Access to Personal Data on E-Gov Sites Expose Citizens to ID Theft

    Washington Post, Online Records May Aid ID Theft, Government Sites Post Personal Data, By Bill Brubaker: "Social Security numbers are readily available in many courthouses -- in land records and criminal and civil case files -- as well as on many government Web sites that serve up public documents with a few clicks of a mouse. From state to state, and even within states, there is little uniformity in how access to the private information in these records is controlled."

    December 29, 2007
    * OSAC Activity Report: November 2007

    US State Department's Overseas Security Advisory Council (OSAC) Activity Report: November 2007

  • AP: US State Department issues Top 10 list of security threats for US businesses: "...Intellectual property theft, terrorism, natural disasters and political instability were listed as the most serious security challenges in Asia."
  • December 28, 2007
    * FTC Issues Staff Report on Malicious Spam and Phishing

    Press release: "In a new report, the Federal Trade Commission staff describes findings from its July 2007 workshop, “Spam Summit: The Next Generation of Threats and Solutions” and proposes follow-up action steps that stakeholders can adopt to mitigate the harmful effects of malicious spam and phishing. In addition to proposing action steps for stakeholders, the report provides an overview of the agency’s decade-long role in protecting consumers from the threats of fraudulent spam and phishing. The report also announces results from staff’s 2007 Harvesting and Filtering Study, which suggest that Internet service providers’ spam filters continue to serve an integral role in reducing the amount of spam that reaches consumers’ in-boxes."

  • Spam Summit: The Next Generation of Threats and Solutions (39 pages, PDF)
  • December 26, 2007
    * 2007 Annual Study: U.S. Cost of a Data Breach

    Ponemon 2007 Annual Study: U.S. Cost of a Data Breach - Understanding Financial Impact, Customer Turnover, and Preventitive Solutions: This study "was derived from a detailed analysis of 35 data breach incidents. According to the study, the cost per compromised customer record increased in 2007, compared to 2006. Lost business opportunity, including losses associated with customer churn and acquisition, represented the most significant component of the cost increase. Companies analyzed were from 16 different industries, including communications, consumer goods, education, entertainment, financial services, gaming, health care, hospitality, internet, manufacturing, marketing, media, retail, services, technology, and transportation."

    December 17, 2007
    * Management Challenges at the Department of Energy

    DOE OIG Special Report: Management Challenges at the Department of Energy, December 2007

  • "Based on work performed by the Office of Inspector General over the past year, the following represent the most serious challenges facing the Department of Energy: Contract Management, Cyber Security, Environmental Cleanup, Human Capital Management, Project Management
    Safeguards and Security, Stockpile Stewardship."
  • December 11, 2007
    * Widespread Use and Availability of Social Security Numbers Puts Americans at Risk for ID Theft

    Press release: "The widespread use and availability of Social Security numbers puts Americans at risk for identity theft and should be restricted, according to Consumers Union, nonprofit publisher of Consumer Reports. The group urged policymakers to take action to protect consumers as part of a public forum on the issue organized by the Federal Trade Commission in conjunction with the President’s Identity Theft Task Force. Social Security numbers are particularly sensitive information because they can provide the key to unlocking a consumer’s financial identity... Jeannine Kenney, Senior Policy Analyst with Consumers Union...presented findings of a Consumer Reports National Research Center poll at the FTC forum showing that 89 percent of Americans want state and federal lawmakers to restrict the use and availability of Social Security numbers by businesses and government agencies. The poll also found that nearly all consumers want the right to freeze access to their credit files to prevent new account fraud. Currently 39 states and the District of Columbia give consumers the right to a security freeze and the three major credit bureaus have made the freeze available to consumers in the remaining states."

  • Also from Consumers Union, more information about the Social Security number privacy bills pending in Congress
  • December 05, 2007
    * CRS Report - Botnets, Cybercrime, and Cyberterrorism

    Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress, Updated November 15, 2007. "Cybercrime is becoming more organized and established as a transnational business. High technology online skills are now available for rent to a variety of customers, possibly including nation states, or individuals and groups that could
    secretly represent terrorist groups. The increased use of automated attack tools by cybercriminals has overwhelmed some current methodologies used for tracking Internet cyberattacks, and vulnerabilities of the U.S. critical infrastructure, which are acknowledged openly in publications, could possibly attract cyberattacks to extort money, or damage the U.S. economy to affect national security...This report discusses options now open to nation states, extremists, or terrorist groups for obtaining malicious technical services from cybercriminals to meet political or military objectives, and describes the possible effects of a coordinated cyberattack against the U.S. critical infrastructure."

    December 02, 2007
    * Awareness of Security Freeze Legislation and Use of Security Freezes by Consumers Age 18+

    Awareness of Security Freeze Legislation and Use of Security Freezes by Consumers Age 18+ Research Report, Jennifer H. Sauer, M.A., AARP Knowledge Management, Neal Walters, AARP Public Policy Institute, November 2007

  • "All but eleven states have enacted Security Freeze laws designed to protect consumers from identity theft. These laws give consumers the right to block their credit report from the view of others. This April-May 2007 AARP telephone survey explores the awareness of security freezes and the use of such freezes among consumers aged 18 and over living in California, Connecticut, Louisiana, Maine, Nevada, New Jersey, and North Carolina. In these selected states, the security freeze laws have been in effect for at least one year and they allow all consumers to place a security freeze on their credit report."
  • November 29, 2007
    * Annual McAfee Virtual Criminology Report

    McAfee Virtual Criminology Report - Cybercrime: The Next Wave - The annual McAfee global cyber trends study into organized crime and the Internet in collaboration with leading international security experts, November 2007.

  • "For this report we consulted with more than a dozen security specialists at top institutions such as NATO, the FBI, SOCA, the Center for Education and Research in Information Assurance and Security (CERIAS), the International Institute for Counter -Terrorism in Israel and the London School of Economics. These experts are also on the front lines in the fi ght against cybercrime every day, and we asked for their insights on the state of this dangerous underworld - as well as their predictions on where it’s going next...the experts agree that cybercrime has evolved significantly in complexity and scope. Espionage. Trojans. Spyware. Denial-of-service attacks. Phishing scams. Botnets. Zero-day exploits. The unfortunate reality is that no one is immune from this malicious industry’s reach — individuals, businesses, even governments. As the world has flattened, we’ve seen a signifi =cant amount of emerging threats from increasingly sophisticated groups attacking organizations around the world. And it’s only going to get worse..."

  • November 27, 2007
    * FTC Releases Survey of Identity Theft in the U.S. Study Shows 8.3 Million Victims in 2005

    Press release: "The Federal Trade Commission today released a survey showing that 8.3 million American adults, or 3.7 percent of all American adults, were victims of identity theft in 2005. Of the victims, 3.2 million, or 1.4 percent of all adults, experienced misuse of their existing credit card accounts; 3.3 million, or 1.5 percent, experienced misuse of non-credit card accounts; and 1.8 million victims, or 0.8 percent, found that new accounts were opened or other frauds were committed using their personal identifying information."

  • Federal Trade Commission: 2006 Identity Theft Survey Report: Prepared for the Commission by Synovate (November 2007)
  • November 21, 2007
    * UK Government Loses Personal Data on 25 Million Citizens

    20 November 2007, Statement to the House of Commons by Chancellor of the Exchequer, Alistair Darling, MP, on HMRC

  • "With your permission Mr Speaker I should like to make a statement on the breach of procedures which led to missing personal data relating to child benefit from Her Majesty's Revenue and Customs...The National Audit Office - which is independent of Government, but answerable to Parliament - has a right to ask for and access data from HMRC in discharging its compliance responsibilities. In March of this year it appears that a junior official within HMRC provided the National Audit Office with a full copy of HMRC's data in relation to the payment of child benefit [The missing information contains details of all child benefit recipients: records for 25 million individuals and 7.25 million families. These records include the recipient and their children's names, addresses and dates of birth, it includes Child Benefit numbers, National Insurance Numbers, and, where relevant, bank or building society account details]. In doing so it is clear that the strict rules governing HMRC standing procedures were not followed. These procedures relate to the security and access to data as well as its transit to ensure that data is properly protected. This information should not have been handed over by HMRC in the way that it was. However, I understand that in this case the NAO subsequently returned all the information it received in March to HMRC after auditing it. It now appears that following a further request from the NAO in October for information from the Child Benefit database, and again at a junior level and again contrary to all HMRC standing procedures, two password protected discs containing a full copy of HMRC's entire data in relation to the payment of child benefit was sent to the NAO, by HMRC's post system operated by the courier TNT. The package was not recorded or registered. Mr Speaker, it appears the data has failed to reach the addressee in the NAO. Mr Speaker, I also have to tell the House that on finding that the package had not arrived at the NAO, a further copy of this data was sent, this time by registered post, and which did arrive at the NAO. However, again HMRC should never have let this happen. Although it is believed the data was sent from HMRC to the NAO on 18 October, the fact it did not arrive it was not reported to HMRC's senior management until 8 November, nearly 3 weeks later. I was informed on Saturday 10 November and immediately instructed that comprehensive searches be carried out of all premises where the missing data might be found. These searches are continuing...On Monday 12 November HMRC informed me that evidence might have had been found of the route taken by the data and that the data was likely to be found. However, by Wednesday 14 November it was clear to me that the HMRC searches had failed to find them. I therefore instructed the Chairman of HMRC to call in the Metropolitan Police to conduct a full investigation in order to find the missing package."
  • November 14, 2007
    * National Fraud Awareness Week, November 11-17, 2007

    "Fraud Awareness Week is dedicated to promoting fraud awareness and educating businesses and the public about the growing global impact of fraud. Therefore, this is an appropriate time to address and promote basic steps that can be taken to recognize, report, and reduce the risk of becoming a victim of fraudulent activities. In recognition of Fraud Awareness Week, NCJRS presents this online compilation of resources addressing fraud:

  • Prevention and Education, October 2007

  • Resources for Victims

  • Investigation and Enforcement

  • See also National Criminal Justice Reference Service - Investigative Uses of Technology: Devices, Tools and Techniques (169 pages, PDF)
  • November 12, 2007
    * Dark Web Terrorism Research Sponsored by University of Arizona

    The University of Arizona Artificial Intelligence Lab Dark Web project: "Based on our actual spidering experience over the past 5 years, we believe there are about 50,000 sites of extremist and terrorist content as of 2007, including: web sites, forums, blogs, social networking sites, video sites, and virtual world sites (e.g., Second Life). The largest increase in 2006-2007 is in various new Web 2.0 sites (forums, videos, blogs, virtual world, etc.) in different languages (i.e., for home-grown groups, particularly in Europe). We have found significant terrorism content in more than 15 languages...We believe our Dark Web collection is the largest open-source extremist and terrorist collection in the academic world."

    November 01, 2007
    * Consumers Union Online Guide to ID Theft Safeguards

    Press release: "Starting November 1, consumers in all 50 states will be able to freeze access to their credit files at all three major credit bureaus to prevent identity thieves from opening fraudulent accounts in their names. By that date, all three major credit bureaus will offer “security freeze” protection to all consumers living in the eleven states that have not passed laws requiring it and the five states that currently limit this protection to identity theft victims. To help consumers learn how to take advantage of this powerful identity theft safeguard, Consumers Union, the nonprofit publisher of Consumer Reports, is making available online an updated Guide to Security Freeze Protection."

    October 31, 2007
    * Agencies Issue Final Rules on Identity Theft Red Flags and Notices of Address Discrepancy

    Text of the Federal Register Notice [256 pages, PDF] - Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003: 16 C.F.R. Part 681 (Federal Trade Commission Rule): Joint Final Rules and Guidelines of the Office of the Comptroller of the Currency, Treasury; the Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation; the Offfice of Thrift Supervision, Treasury; the National Credit Union Administration; and the Federal Trade Commission.

    October 21, 2007
    * CDT Comments on FTC's Spyware Principles

    CDT: "As it seeks models to address the mounting issues surrounding online behavioral targeting, the Federal Trade Commission (FTC) should begin by applying the principles it developed to guide its anti-spyware enforcement efforts, CDT said today. In comments submitted to the FTC in advance of its upcoming "town hall" meeting on behavioral advertising, CDT pointed out that the FTC's principles -- which center around the core concept that consumers should have ultimate control over their computers -- are directly applicable to behavioral advertising. In addition to filing its own comments, CDT also joined with other public interest advocates in offering a list of important questions the FTC must address over the course of the two-day meeting."

    October 16, 2007
    * New Bill To Add And Toughen Penalties For ID Theft And Fraud

    Press release, October 16, 2007: "Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) and Ranking Member Arlen Specter (R-Pa.) today introduced the bipartisan Identity Theft Enforcement and Restitution Act of 2007 to give federal prosecutors important new tools to combat the growing problem of identity theft and cyber crime.

    The Identity Theft Enforcement and Restitution Act of 2007 would:

  • Give victims of identity theft the ability to seek restitution for the loss of time and money spent restoring credit and remedying the harms of identity theft;
  • Expand the jurisdiction of federal computer fraud statutes to cover small businesses and corporations;

  • Eliminate the prosecutorial requirement that sensitive identity information must have been stolen through an interstate or foreign communication and instead focuses on whether the victim’s computer is used in interstate or foreign commerce, allowing for the prosecutions of cases in which both the identify thief’s computer and the victim’s computer are located in the same state;

  • Make it a felony to employ spyware or keyloggers to damage ten or more computers regardless of the aggregate amount of damage caused, ensuring that the most egregious identity thieves will not escape with a minimal, or no, sentence;

  • Eliminate the requirement that the loss resulting from damage to a victim’s computer must exceed $5,000; under this bill violations resulting in less than $5,000 damage would be criminalized as misdemeanors;

  • Add the crime of threatening to obtain or release information from a protected computer to the definition of a cyber crime and expands the definition of a cyber crime to include demanding money in relation to a protected computer, where the damage to the victim computer was caused to facilitate the extortion..."

  • October 11, 2007
    * PhishTank Annual Report: U.S. telecoms hosting phishes; OpenDNS offering a solution

    Press release: "With a full twelve months under our belt, today OpenDNS published the first-ever PhishTank annual report. The report looks at the more than 300,000 phishes you’ve submitted and helped verify over the course of one year. While some of the report’s findings come as no surprise (e.g., PayPal and eBay round out the top of the list of most spoofed brands), some are alarming. Perhaps the most important finding, and the one that drove us to come up with a fix, is that U.S. telecoms are hosting more phishes than telecoms in any other country."

    * Guidelines on Securing Public Web Servers, Version 2

    National Institute of Standards and Technology, Computer Security Division: "SP 800-44 version 2, Guidelines on Securing Public Web Servers, is published as final. It is intended to aid organizations in the installation, configuration, and maintenance of secure public Web servers. It presents recommendations for securing Web server operating systems, applications, and content; protecting Web servers through the supporting network infrastructure; and administering Web servers securely. SP 800-44 version 2 also provides guidance on using authentication and encryption technologies to protect information on Web servers."

    October 08, 2007
    * Deloitte 2007 Global Security Survey

    "Two of the key findings from this year’s Global Security Survey revolve around an organization’s people and a paradox that has been around for years. The weakest link in an organization’s security is its people. An organization’s people include employees, customers, third parties and business partners. And of those people, the highest number of breaches are perpetrated via the customer. Even though information security incidents are grabbing the attention of business executives and boards, these individuals do not yet feel that they “own” the problem. In their estimation, the execution of solutions is the mandate of IT. This information security paradox has been alive and well for years; the 2007 security survey confirms just how widespread it is."

  • Deloitte 2007 Global Security Survey (48 pages, PDF)

  • October 04, 2007
    * National Southwest Border Counternarcotics Strategy

    National Southwest Border Counternarcotics Strategy - Unclassified Summary, October 2007

  • "The President's National Drug Control Strategy seeks to disrupt the illicit drug industry as close to the source as possible. As a companion to the National Drug Control Strategy, this Strategy directs U.S. efforts to intercept drug shipments that manage to evade the robust international counterdrug efforts in the source zone and transit zone, thereby contributing to a layered defense of the homeland. This Strategy aims to improve Federal counterdrug efforts on the Southwest Border in the following areas: intelligence collection and information sharing, interdiction at and between ports of entry, aerial surveillance and interdiction of smuggling aircraft, investigations and prosecutions, countering financial crime, and cooperation with Mexico."
  • * European Security Research Agenda: European Commission Working documents

    European Security Research Agenda: European Commission Working documents: Public-Private Dialogue in Security Research and Innovation: Summary of the Impact Assessment (SEC (2007); Public-Private Dialogue in Security Research and Innovation: Impact Assessment (SEC (2007)

  • See also Security research to better combat terrorism

  • September 26, 2007
    * National Cyber Security Awareness Month 2007

    StaySafeOnline.org: "The National Cyber Security Alliance (NCSA), a consortium of government agencies and private industry sponsors, is proud to designate October 2007 as National Cyber Security Awareness Month (NCSAM). National Cyber Security Awareness Month is a national campaign designed to increase the public's awareness of cyber security and cyber crime issues so that users can take precautions to avoid these threats on the Internet. The month will feature a number of initiatives including public relations activities, educational programs and events that target Home Users, Small Businesses, Education audiences (K-12 and higher education), and Child Safety online."

    September 24, 2007
    * Thompson, Langevin Demand Investigation into Department Cyber Attacks

    Press release: "Committee on Homeland Security Committee Chairman Bennie G. Thompson (D-MS) and Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology Chairman James R. Langevin (D-RI) sent a letter on Friday to Richard L. Skinner, Inspector General of the Department of Homeland Security to request an investigation into cyber attacks on the Department initiated by foreign entities and relating to incompetent and possibly illegal activity by the contractor charged with maintaining security on its networks. Links to the letter and its enclosure."

    * Cuomo Subpoenas Facebook Over User Safety

    Press release: "Attorney General Andrew Cuomo announced today that his office is investigating Facebook over representations the company makes about safety measures in place on its website. In a letter accompanying a subpoena for documents, Cuomo warned the company that a preliminary review conducted by his office revealed significant defects in the site’s safety controls and the company’s response to complaints - deficiencies that stand in contrast to the reassuring statements made on the website and by company officials."

    * New Report: Four Out of Five Companies Worldwide Affected by Fraud

    Press release: "Four out of five companies have suffered from corporate fraud in the past three years, according to a survey from Kroll, the world’s leading risk consulting company. New technologies, new investors and expansion into new overseas markets have opened the door to different forms of fraud, the report concludes. In some sectors, more than a fifth of companies have lost more than $1m...The report draws on a survey by the Economist Intelligence Unit of 900 senior executives worldwide."

  • Kroll Global Fraud Report (44 pages, PDF)
  • September 21, 2007
    * DOE OIG Audits: Hanford Environmental Information System and Unclassified Cyber Security Program

  • DOE OIG Report, Management Controls over the Hanford Environmental Information System, September 2007, OAS-M-07-06

  • Evaluation Report, The Department's Unclassified Cyber Security Program - 2007, September 2007, DOE/IG-0776
  • * New Australian Legislation Would Allow Police to Ban Internet Content

    Press release: "Electronic Frontiers Australia (EFA) today slammed a Bill introduced into the Senate which would give members of the Australian Federal Police powers to ban access to Internet content. The Communications Legislation Amendment (Crime or Terrorism Related Internet Content) Bill 2007 would, if enacted, give senior members of the Australian Federal Police powers to ban access to Internet content which they "have reason to believe": encourages, incites, or induces the commission of a Commonwealth offence; or was published in part to facilitate the commission of such an offence; or that it is likely to have the effect of facilitating the commission of such an offence."

  • Text of the Communications Legislation Amendment (Crime or Terrorism Related Internet Content) Bill 2007
  • * EPIC Testifies Before DHS Privacy Advisory Panel on Fusion Centers

    EPIC: "The Data Privacy and Integrity Advisory Committee of the Department of Homeland Security held a series of panel discussions on the topic of "information fusion centers." EPIC's statement to the committee made specific recommendations on the need to create accountability, oversight, and greater transparency on the work of fusion centers. So far DHS has awarded over $380 million in grants to local and state law enforcement to build 43 of the planned 70 interconnected computer networks. The domestic surveillance project is compiling, analyzing, and disseminating detailed personal information for intelligence and other purposes. DHS says it wants to use fusion centers to prevent terrorism, but local and state police want the centers to support their efforts to anticipate, identify, prevent, and/or monitor crime. See EPIC's page on Fusion Centers and Spotlight on Surveillance."

    September 19, 2007
    * FTC Testifies on Identity Theft Initiatives

    Press release: "The FTC today told the Maryland Task Force on Identity Theft that public organizations, including federal, state, and local governments, “play a critical role in guarding against misuse and unauthorized disclosure of the personal information they collect and maintain.” Speaking before the Maryland Task Force to Study Identity Theft, Betsy Broder, Assistant Director of the FTC’s Division of Privacy and Identity Protection said, “To succeed in the battle against identity theft, federal, state and local governments, working together with the private sector, must make it more difficult for thieves to obtain the information they need to steal identities, make it more difficult to use that information if they do obtain it, and assist victims when thefts occur.”

  • Prepared Statement of the Federal Trade Commission On Combating Identity Theft: Implementing A Coordinated Plan, Presented by Betsy Broder, Assistant Director, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Before the Maryland Task Force To Study Identity Theft, September 18, 2007 (18 pages, PDF)
  • September 12, 2007
    * FTC Plays Critical Role in Online Consumer Protection

    Press release: "The FTC today told the Senate Committee on Commerce, Science & Transportation Subcommittee on Interstate Commerce, Trade and Tourism that it has a robust record in protecting consumers and preserving competition in the marketplace...Speaking for the Commission, Chairman Deborah Platt Majoras said that much of the work of the FTC’s Bureau of Consumer Protection has been devoted to data security and identity theft, technology risks to consumers, fraud in the marketing of health care products, financial practices, telemarketing fraud, and enforcement of the National Do Not Call Rule."

  • Prepared Statement of the Federal Trade Commission On Reauthorization: Major Activities, Planned Initiatives, and Legislative Recommendations, Presented by Chairman Deborah Platt Majoras Before the Subcommittee on Interstate Commerce, Trade, and Tourism of the Committee on Commerce, Science, and Transportation, United States Senate (September 12, 2007)

  • "The Federal Trade Commission (FTC) plays a central role in combating mounting online threats like spyware and phishing and must be reauthorized to continue its vital consumer protection functions, CDT told a congressional panel today. Testifying before the Senate Commerce Committee's Subcommittee on Interstate Commerce Trade and Tourism, CDT Deputy Director Ari Schwartz highlighted the agency's emergence as the lead government organization in the fight against spyware and other online scams. CDT also noted that the threats are growing in scope and sophistication and may require that the FTC be granted additional resources in the near future. September 12, 2007"
  • September 10, 2007
    * Scientists Use the "Dark Web" to Snag Extremists and Terrorists Online

    "Terrorists and extremists have set up shop on the Internet, using it to recruit new members, spread propaganda and plan attacks across the world. The size and scope of these dark corners of the Web are vast and disturbing. But in a non-descript building in Tucson, a team of computational scientists are using the cutting-edge technology and novel new approaches to track their moves online, providing an invaluable tool in the global war on terror. Funded by the National Science Foundation and other federal agencies, Hsinchun Chen and his Artificial Intelligence Lab at the University of Arizona have created the Dark Web project, which aims to systematically collect and analyze all terrorist-generated content on the Web."

    August 13, 2007
    * Team of University of California Researchers Identify "Spamscatter" Technique

    PC World: Study Finds Spam's Achilles Heel - "Researchers say they've discovered a critical weakness in the spam infrastructure."

  • Spamscatter: Characterizing Internet Scam Hosting Infrastructure, David S. Anderson, Chris Fleizach, Stefan Savage, and Geoffrey M. Voelker, Proceedings of the USENIX Security Symposium, Boston, MA, August 2007.

  • See also The New Yorker, Damn Spam, The losing war on junk e-mail,
    by Michael Specter, August 6, 2007: "Nearly two million e-mails are dispatched every second, a hundred and seventy-one billion messages a day. Most of those messages have something to sell...Spam’s growth has been metastatic, both in raw numbers and as a percentage of all mail. In 2001, spam accounted for about five per cent of the traffic on the Internet; by 2004, that figure had risen to more than seventy per cent. This year, in some regions, it has edged above ninety per cent—more than a hundred billion unsolicited messages clogging the arterial passages of the world’s computer networks every day."
  • August 12, 2007
    * Rand Report - Assessing Publicly Available Data Regarding U.S. Transportation Infrastructure Security

    Freedom and Information: Assessing Publicly Available Data Regarding U.S. Transportation Infrastructure Security, August 8, 2007: "This report concerns the feasibility of obtaining information relevant to planning terrorist attacks from publicly available sources. To the extent that such information is available, it is particularly valuable to terrorist planners in that it can generally be obtained at lower cost, risk, and effort than more direct forms of gathering information such as observation of a potential target. Familiarity with public sources of information is also valuable to defenders. If they are unaware that a terrorist group knows or can easily learn about a particular vulnerability, that vulnerability can be exploited more easily."

  • Also from Rand, Can Publicly Available Information Be Used in Planning Terrorist Attacks? August 8, 2007 - "This fact sheet describes a framework for assessing the availability of publicly available information for planning attacks on the U.S. air, rail, and sea transportation infrastructure and the results of applying the framework in a red-team exercise."
  • August 11, 2007
    * Article Examines Corporate Responsibility for Compromised Personal Records

    Erickson, K., & Howard, P. (2007). A case of mistaken identity? News accounts of hacker, consumer, and organizational responsibility for compromised digital records. Journal of Computer-Mediated Communication, 12(4), article 5.

  • "The computer hacker is one of the most vilified figures in the digital era, but to what degree are organizations actually responsible for compromised personal records? To examine the role of organizational behavior in privacy violations, we analyze 589 incidents of compromised data between 1980 and 2006. There were more reported incidents in 2005 and 2006 than in the previous 25 years combined. Excluding a particularly large security breach at Acxiom, hackers account for the largest volume of compromised records, some 45%, while 27% of the volume is attributed to organizational mismanagement and 28% remains unattributed. In terms of incidents, 9% were an unspecified type of breach, 31% of the incidents involved hackers, and 60% of the incidents involved organizational mismanagement: personally identifiable information accidentally placed online, missing equipment, lost backup tapes, or other administrative errors. Options for public policy oversight are discussed."
  • * UK Parliament Science and Technology - Fifth Report

    UK House of Lords, Science and Technology Committee, 5th Report of Session 2006-2007: Personal Internet Security, August 10, 2007 (121 pages, PDF)

  • "e-crime and the internet - Lords Science and Technology Committee calls for incentives, regulation and investment to tackle internet crime: The Internet is a powerful force for good: within 20 years it has expanded from almost nothing to a key component of critical national infrastructure and a driver of innovation and economic growth. It facilitates the spread of information, news and culture. It underpins communications and social networks across the world. A return to a world without the Internet is now hardly conceivable.

    But the Internet is now increasingly the playground of criminals. Where a decade ago the public perception of the e-criminal was of a lonely hacker searching for attention, today's "bad guys" belong to organised crime groups, are highly skilful, specialised, and focused on profit. They want to stay invisible, and so far they have largely succeeded. While the incidence and cost of e-crime are known to be huge, no accurate data exist.

    Underpinning the success of the Internet is the confidence of hundreds of millions of individual users across the globe. But there is a growing perception, fuelled by media reports, that the Internet is insecure and unsafe. When this is set against the rate of change and innovation, and the difficulty of keeping pace with the latest technology, the risk to public confidence is clear.

    The Government have insisted in evidence to this inquiry that the responsibility for personal Internet security ultimately rests with the individual. This is no longer realistic, and compounds the perception that the Internet is a lawless "wild west". It is clear to us that many organisations with a stake in the Internet could do more to promote personal Internet security: the manufacturers of hardware and software; retailers; Internet Service Providers; businesses, such as banks, that operate online; the police and the criminal justice system.

    We believe as a general principle that well-targeted incentives are more likely to yield results in such a dynamic industry than formal regulation. However, if incentives are to be effective, they may in some cases need to be backed up by the possibility of direct regulation. Also, there are some areas, such as policing, where direct Government action is needed. So Government leadership across the board is required. Our recommendations urge the Government, through a flexible mix of incentives, regulation, and direct investment, to galvanise the key stakeholders.

    The threat to the Internet is clear, but it is still manageable. Now is the time to act, both domestically, and internationally, through the European Union and through international organisations and partnerships.

  • August 06, 2007
    * Consumer Report's 2007 State of the Net

    "The risk associated with using the Internet remains high. Our State of the Net assesses the likelihood and impact of four leading online hazards, listed in order of incidence, based on the survey by the Consumer Reports National Research Center and our follow-up investigation."

  • In this report: Overview >> Phishing >> Viruses >> Spam >> Social networking >> A safer net >> How criminals deceive >> Where criminals plot >> State of the Net >> Properly erasing hard drives >> Ways to stay safe online >> Canadian online security
  • July 23, 2007
    * New GAO Reports: Cybercrime, Federal Farm Programs, FHA, Influenza Pandemic

  • Cybercrime: Public and Private Entities Face Challenges in Addressing Cyber Threats, GAO-07-705, June 22, 2007: "Cybercrime has significant economic impacts and threatens U.S. national security interests. Various studies and experts estimate the direct economic impact from cybercrime to be in the billions of dollars annually. The annual loss due to computer crime was estimated to be $67.2 billion for U.S. organizations, according to a 2005 Federal Bureau of Investigation (FBI) survey. In addition, there is continued concern about the threat that our adversaries, including nation-states and terrorists, pose to our national security."

  • Federal Farm Programs: USDA Needs to Strengthen Controls to Prevent Improper Payments to Estates and Deceased Individuals, GAO-07-818, July 9, 2007

  • Federal Housing Administration: Proposed Legislative Changes Would Affect Borrower Benefits and Risks to the Insurance Funds, GAO-07-1109T, July 18, 2007

  • Federal Real Property: DHS Has Made Progress, but Additional Actions Are Needed to Address Real Property Management and Security Challenges, GAO-07-658, June 22, 2007

  • Federal Retirement Thrift Investment Board: Many Responsibilities and Investment Policies Set by Congress, GAO-07-611, June 21, 2007

  • Financial Audit: Significant Internal Control Weaknesses Remain in the Preparation of the Consolidated Financial Statements of the U.S. Government, GAO-07-805, July 23, 2007

  • Hanford Waste Treatment Plant: Department of Energy Needs to Strengthen Controls over Contractor Payments and Project Assets, GAO-07-888, July 20, 2007

  • Influenza Pandemic: DOD Combatant Commands' Preparedness Efforts Could Benefit from More Clearly Defined Roles, Resources, and Risk Mitigation, GAO-07-696, June 20, 2007

  • Information Technology: Treasury Needs to Strengthen Its Investment Board Operations and Oversight, GAO-07-865, July 23, 2007
  • July 19, 2007
    * Department of Justice Proposes Update to Identity Theft Laws

    Press release, July 19, 2007: "The Department of Justice today submitted to Congress new proposed legislation that seeks to update and improve current laws aimed at protecting Americans from the increasingly sophisticated crime of identity theft. The proposed bill, titled the Identity Theft Enforcement and Restitution Act of 2007, was a significant recommendation included in the final strategic plan from the President’s Task Force on Identity Theft released in April 2007. The strategic plan was the result of an unprecedented federal effort to formulate a comprehensive and fully coordinated plan to attack identity theft at all levels in the public and private sectors. Among other provisions, the proposed legislation seeks to ensure that victims of identity theft can recover the value of the time lost attempting to repair damage inflicted by identity theft. Under current law, restitution to victims from convicted thieves is available only for the direct financial costs of identity theft offenses."

  • See also The President's Identity Theft Task Force Strategic Plan, April 2007 (120 pages, PDF) and Volume II: Supplemental Information, April 2007 (90 pages, PDF)
  • July 17, 2007
    July 15, 2007
    * Interview With FTC Chairwoman Includes Issues of Privacy and Fraud

    sfgate.com - ON THE RECORD: DEBORAH MAJORAS CHAIRWOMAN, FTC: "She shares her thoughts on what her agency can -- and cannot -- do on everything from mergers to fraud to privacy to gas prices to infomercials," Sunday, July 15, 2007

    July 10, 2007
    * FTC Spam Summit: The Next Generation of Threats and Solutions

    Spam Summit: The Next Generation of Threats and Solutions: "A two-day conference that will bring together experts from the business, government, and technology sectors, consumer advocates, and academics to explore consumer protection issues surrounding spam, phishing and malware. The agenda and a list of participants can be found here."

    July 09, 2007
    * Google Purchases Online Security Firm Postini

    Press release: "Google Inc. announced today that it has signed a definitive agreement to acquire Postini, a global leader in on-demand communications security and compliance solutions serving more than 35,000 businesses and 10 million users worldwide. Postini's services -- which include message security, archiving, encryption, and policy enforcement -- can be used to protect a company's email, instant messaging, and other web-based communications. Under the terms of the agreement, Google will acquire Postini for $625 million in cash, subject to working capital and other adjustments, and Postini will become a wholly-owned subsidiary of Google. The agreement is subject to customary closing conditions and is expected to close by the end of the third quarter 2007."

    July 05, 2007
    * New GAO Report on Data Breaches and ID Theft

    Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown. GAO-07-737, June 4, 2007.

  • "While comprehensive data do not exist, available evidence suggests that breaches of sensitive personal information have occurred frequently and under widely varying circumstances. For example, more than 570 data breaches were reported in the news media from January 2005 through December 2006, according to lists maintained by private groups that track reports of breaches. These incidents varied significantly in size and occurred across a wide range of entities, including federal, state, and local government agencies; retailers; financial institutions; colleges and universities; and medical facilities. The extent to which data breaches have resulted in identity theft is not well known, largely because of the difficulty of determining the source of the data used to commit identity theft."
  • * Report - Toward a Safer and More Secure Cyberspace

    Toward a Safer and More Secure Cyberspace, Seymour E. Goodman and Herbert S. Lin, Editors, Committee on Improving Cybersecurity Research in the United States, National Research Council, 272 pages, pre-publication copy, 2007.

  • "Toward a Safer and More Secure Cyberspace examines the vulnerabilities of the Internet and offers a strategy for future research aimed at countering cyber attacks. The report also explores the nature of online threats and some of the reasons why past research for improving cybersecurity has had less impact than anticipated."

  • Table of Contents - links to full text by section

  • PDF Executive Summary, 33 pages, PDF

  • See also the "Cyber Security Research and Development Act (PL 107-305, enacted November 27, 2002) which authorized this study to provide advice regarding the appropriate locus for federal cybersecurity research.
  • July 03, 2007
    * Largest Single Personal Data Breach to Date Involves Info on 2.3 Million Customers

    Press release: "Fidelity National Information Services, Inc. announced today that its subsidiary, Certegy Check Services, Inc., a service provider to U.S. retail merchants, based in St. Petersburg, Fla., was victimized by a former employee who misappropriated and sold consumer information to a data broker who, in turn, sold a subset of that data to a limited number of direct marketing organizations...The misappropriated information included names, addresses and telephone numbers as well as, in many cases, dates of birth and bank account or credit card information. Approximately 2.3 million records are believed to be at issue, with approximately 2.2 million containing bank account information and 99,000 containing credit card information. The company is still investigating the time period over which the misappropriations occurred."

    July 01, 2007
    * VA OIG Report Critical of Personal Data Breach Involving 1.5 Million Veterans

    Administrative Investigation Loss of VA Information VA Medical Center Birmingham, AL [Rpt. #07-01083-157 6/29/2007]

  • AP: "An Alabama VA hospital that lost sensitive data on more than 1.5 million people in January repeatedly failed to follow privacy regulations leading up to the incident..."
  • June 25, 2007
    * Report Tracks May 2007 Spam Spikes

    MessageLabs Intelligence Report: Increased Number of Spam Spikes and New Image Spam Techniques Cause Trouble for Businesses: "Analysis of [May 2007] data showed that spammers continue to innovate and employ new methods to elude traditional anti-spam solutions. Rather than embedding images in the body of an email message, spammers are now hosting images on sites that do not require registration and include links to those sites or an HTML image in the email message."

  • The full report can be downloaded here.
  • June 24, 2007
    * Special Report Examines Role of Info Industry Big Three in Web Security

    NEWS.COM Special Report: Wardens of the WebTalkBack: Global security challenge falls to an elite corps, June 25, 2007

  • "The job of policing the Web has been left to the corporate world by default. The burden weighs heavily on a trio of companies in particular: Google, Yahoo and Microsoft--the three firms with the most traffic on the Web. Their work, alone or in concert, will likely define what kind of security can be expected for e-mail, purchases, bill payment, other financial transactions and practically anything else involving personal information of the most sensitive nature."
  • June 22, 2007
    * IRS OIG Audit: Progress Has Been Slow in Meeting Homeland Security Presidential Directive-12 Requirements

    Treasury Inspector General for Tax Administration. Progress Has Been Slow in Meeting Homeland Security Presidential Directive–12 Requirements, June 20, 2007. Reference Number: 2007-20-110

  • "The Internal Revenue Service (IRS) has been experiencing delays in issuing new identification cards to employees and contractors that enhance security, reduce identity fraud, and protect the personal privacy of employees and contractors. Initially, the IRS was developing its own system for issuing the cards rather than joining with other Federal Government agencies that had already incurred much of the upfront costs associated with this effort. Consequently, the IRS was at risk of wasting taxpayer funds and delaying the implementation of this Presidential mandate."
  • June 21, 2007
    * New GAO Reports and House Hearing on Misuse of Social Security Numbers

  • Social Security Numbers: Federal Actions Could Further Decrease Availability in Public Records, though Other Vulnerabilities Remain, GAO-07-752, June 15, 2007: "Various public records in the United States, including some generated by the federal government, contain Social Security numbers (SSN) and other personal identifying information that could be used to commit fraud and identity theft. Public records are generally defined as government agency-held records made available to the public in their entirety for inspection, such as property records and court records. Although public records were traditionally accessed locally in county courthouses and government record centers, in recent years, some state and local public record keepers have begun to make these records available to the public through the Internet. While it is important for the public to have access to these records, concerns about the use of information in these records for criminal purposes have been raised."

  • Social Security Numbers: Use is Widespread and Protection Could Be Improved, GAO-07-1023T, June 21, 2007: "Since its creation, the Social Security number (SSN) has evolved beyond its intended purpose to become the identifier of choice for public and private sector entities, and it is now used for myriad non-Social Security purposes. This is significant because a person's SSN, along with name and date of birth, are the key pieces of personal information used to perpetrate identity theft. Consequently, the potential for misuse of the SSN has raised questions about how private and public sector entities obtain, use, and protect SSNs. Accordingly, this testimony focuses on describing the (1) use of SSNs by government agencies, (2) use of SSNs by the private sector, and (3) vulnerabilities that remain to protecting SSNs."


  • Related:
  • "The Federal Trade Commission today told the U.S. House Committee on Ways and Means, Subcommittee on Social Security [link to Witness List and Testimony] that to prevent thieves from obtaining consumers’ personal information, including Social Security numbers (SSNs), and using it to steal identities, government and businesses should collect only information that is necessary to meet clear legal or business needs, and protect the data they do collect. Other steps to reduce identity theft should include improved authentication techniques, which ensure that consumers are who they claim to be."

  • In testimony (pdf) before the House Ways and Means Committee, EPIC Executive Director Marc Rotenberg urged Congress to adopt legislation to address the misuse of the SSN and the growing problem of identity theft. Citing a recent report (pdf) from the Federal Trade Commission that finds that identity is the number one concern of American consumers, EPIC called for "strong and effective legislation that will limit the use of the SSN" and context-dependent identifiers "that will encourage the development of more robust systems for identification that safeguard privacy and security."
  • June 20, 2007
    * Hearing on Investigating Cybersecurity Vulnerabilities at the Department of Homeland Security

    Hacking the Homeland: Investigating Cybersecurity Vulnerabilities at the Department of Homeland Security, Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, Wednesday, June 20, 2007. [links to prepared statements, testimony and relevant correspondence]

  • Information Security: Homeland Security Needs to Enhance Effectiveness of Its Program, GAO-07-1003T, June 20, 2007. "To protect and mitigate threats and attacks against the United States, 22 federal agencies and organizations were merged to form the Department of Homeland Security (DHS) in 2002. One of the department's components, U.S. Customs and Border Protection (CBP), is responsible for securing the nation's borders. DHS and CBP rely on a variety of computerized information systems to support their operations and assets. GAO has reported for many years that poor information security is a widespread problem with potentially devastating consequences. In reports to Congress since 1997, GAO has identified information security as a governmentwide high-risk issue. In this testimony, GAO discusses DHS's information security program and computer security controls for key information systems. GAO based its testimony on agency, inspector general, and GAO issued and draft reports on DHS information security."
  • June 18, 2007
    June 14, 2007
    * Investigations Involving the Internet and Computer Networks

    "This National Institute of Justice Special Report is intended as a resource for individuals responsible for investigations involving the use of the Internet and other computer networks. Any crime could involve devices that communicate through the Internet or through a network. Criminals may use the Internet for numerous reasons, including trading/sharing information (e.g., documents, photographs), concealing their identity, and gathering information on victims. The report is among a series of guides on investigating electronic crime."

  • Investigations Involving the Internet and Computer Networks, By National Institute of Justice, January 2007
  • * Over 1 Million Potential Victims of Botnet Cyber Crime

    Press release: "[June 13, 2007] the Department of Justice and FBI announced the results of an ongoing cyber crime initiative to disrupt and dismantle “botherders” and elevate the public’s cyber security awareness of botnets. OPERATION BOT ROAST is a national initiative and ongoing investigations have identified over 1 million victim computer IP addresses. The FBI is working with our industry partners, including the CERT Coordination Center at Carnegie Mellon University, to notify the victim owners of the computers. Through this process the FBI may uncover additional incidents in which botnets have been used to facilitate other criminal activity."

  • How to Protect Your Computer
  • June 13, 2007
    * FTC Offers Information on Botnets, Hackers, and Spam

    Press release: "Tens of thousands of consumers are unwitting accomplices of illegal spammers and at the mercy of identity thieves, warns the Federal Trade Commission. These consumers’ computers have been secretly hijacked by criminals who install spam-sending software and spyware on the computers when consumers open malicious e-mail attachments or visit a malicious Web site. After gaining access to consumers’ computers, the criminals can track consumers’ Internet surfing, steal personal information, and turn the computers into spam “zombies” that are part of a “botnet” made up of thousands of home computers through which spammers route spam. In a new consumer alert, Botnets and Hackers and Spam (Oh, My!), the FTC urges consumers to secure their personal information and stop assisting spammers."

  • See also the government consortium resource, OnGuard Online
  • June 12, 2007
    * Anti-phishing Research Group at Indiana University

    "The anti-phishing research group at Indiana University, stop-phishing.com, is striving to understand, detect and prevent online fraud, and in particular, to reduce the economic viability of phishing attacks. We achieve this goal through a cross-disciplinary research agenda in which we consider all facets of the problem, ranging from psychological aspects and technology matters to legal issues and interface design considerations. We are attuned to needs and concerns within the financial sector, among privacy advocates, and of common users, and are dedicated to turning the tide."

    June 11, 2007
    * CSI Working Group on Web Security Research Law

    Press release: "Software security researchers can disclose vulnerabilities almost to their hearts' content. Web security researchers, on the other hand, can go to jail for merely looking for a vulnerability, much less disclosing one publicly. The inaugural report of CSI's new working group explains why, and whether the legal climate is bad for the Internet."

    * U.Va. Faculty Names, SSN Security Breach

    Press release: "This Web site has been established to provide information about an Information Technology Security Incident in which a security breach in a computer application resulted in exposure of sensitive information belonging to current and former University of Virginia faculty members. A criminal investigation is being conducted by University of Virginia Police in consultation with the FBI and the University’s computing and audit professionals. The investigation has revealed that hackers tapped into the records of 5,735 faculty members."

    * EU Conference on Cooperation Against Cybercrime

    Cooperation against Cybercrime: 11-12 June 2007, Palais de l’Europe, Strasbourg, France: "Societies worldwide rely on information and communication technologies. However, the increasing dependency on such technologies is accompanied by a growing vulnerability to criminal intrusion and misuse. In response to these challenges the Council of Europe adopted the Convention on Cybercrime (ETS 185) in 2001 and the Protocol on the Criminalisation of Acts of a Racist and Xenophobic Nature Committed through Computer Systems (ETS 189) in 2003."

  • Cybercrime legislation – Country profiles
  • June 10, 2007
    June 04, 2007
    * McAfee Report on State of Search Engine Safety

    The State of Search Engine Safety, June 4, 2007 - Ben Edelman, Advisor to McAfee SiteAdvisor and Hannah Rosenbaum - Research Analyst, McAfee SiteAdvisor

  • "In this study, we compare the safety of leading search engines, using McAfee SiteAdvisor’s automated Web site ratings...Since May 2006, search engine results have become safer, primarily due to improved safety of sponsored results on Google, AOL, and Ask. Despite this improvement, dangerous sites are found in search results of all of the top five search engines, and sponsored results continue to be significantly less safe than search engines’ organic results."

  • Key Findings; Introduction; Methodology; Analysis; Discussion; Resources
  • * OMB Memo, Ensuring New Acquisitions Include Common Security Configurations

    M-07-18, Ensuring New Acquisitions Include Common Security Configurations (June 1, 2007)

    May 31, 2007
    * CT Attorney General Announces Nationwide Settlement With Choicepoint For Security Breach

    Press release, May 31, 2007: Attorney General Richard Blumenthal, with attorneys general from 43 other states, announced a settlement today with ChoicePoint for allegedly failing to adequately protect consumers' personally identifiable information, resulting in a massive security breach. The Atlanta-based ChoicePoint, which collects and maintains personally identifiable information on consumers, provides identification and credential verification services to businesses, government and non-profit organizations. In February 2005, ChoicePoint announced that criminals posing as legitimate businesses accessed consumers' personally identifiable information. The company notified more than 145,000 consumers nationwide whose information may have been compromised - including nearly 6,000 from Connecticut. Under today's settlement, ChoicePoint has agreed to adopt significantly stronger security measures. Those measures include written certification and, in some cases, on-site visits by ChoicePoint to ensure the legitimacy of companies before they are allowed access to personally identifiable information. ChoicePoint will also conduct periodic audits to ensure that companies are using consumer data for legitimate purposes."

  • "If consumers meet the eligibility requirements for redress, they can complete and submit the redress form for consideration. More information is available here."
  • Related postings on ChoicePoint and data breaches
  • May 29, 2007
    * TriCipher Consumer Online Banking Study

    Press release: "...a recent TriCipher Consumer Online Banking Study, conducted by Javelin Strategy and Research, reveals that consumers would take advantage of more online banking services if banks provided stronger identity protection. The TriCipher Consumer Online Banking Study included 3,349 respondents from a random-sample panel that was representative of the U.S. population. Surprising findings uncovered that nearly 1 in 5 - estimated at 26 million - adult consumers have been victims of identity theft or fraud in their lives. And, according to survey results, over 88 million online banking customers would switch banks, or reduce online banking usage, if news reports exposed their individual institution as compromised."

    May 23, 2007
    * OMB Orders Agencies to Eliminate Unnecessary Collection of Social Security Numbers

    Clay Johnson III, Deputy Director for Management, Office of Management and Budget: M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007 (22 pages, PDF)

  • "As part of the work of the Identify Theft Task Force, this memorandum requires agencies to develop and implement a breach notification policy within 120 days."

  • See also related postings on ID theft
  • May 11, 2007
    * Google Study Identifies Malware on Ten Percent of Web Pages

    Earthtimes reports that a recent "internal survey conducted by search engine giant Google has revealed that one in every 10 pages scanned by the company is infected with malicious software that can harm the users' PC."

  • The Ghost In The Browser. Analysis of Web-based Malware, Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu.
  • May 09, 2007
    * Consumer Website Tracks State Security Freeze Laws

    FinancialPrivacyNow.org: "Identity theft is one of the fastest growing financial crimes. Nearly 10 million Americans fall victim each year. The Identity Theft Resource Center reported in 2005, on average, an ID theft victim of new account and other fraud spent 60 hours resolving problems brought on by ID theft, those victims of existing accounts spent an average of 15 hours resolving problems. A 2003 Federal Trade Commission study found that identity theft also costs U.S. businesses nearly $48 billion annually, and consumers an additional $5 billion per year. A security freeze lets consumers stop thieves from getting credit in their names. A security freeze locks, or freezes, access to the consumer credit report and credit score. Without this information, a business will not issue new credit to a thief. When the consumer wants to get new credit, he or she uses a PIN to unlock access to the credit file. These states [included at this link] give consumers this important weapon to prevent identity theft. (updated 5/8/07)"

    May 07, 2007
    * TSA Public Statement on Employee Data Security Incident

    Follow up to May 5, 2007 posting, Missing TSA Hard Drive Has Data on 100,000 Employees, this additional update from the TSA: "Today the Transportation Security Administration (TSA) announced a benefit package to provide employees and former employees affected by the data security incident with free credit monitoring for up-to one year. In addition to credit monitoring, the package includes ID theft insurance up to $25,000, fraud alerts and identity restoration specialists who will complete paperwork and assist employees in the event they are a victim of identity theft. Current and former employees can register via phone, mail or online through a secure web site. More information is available at www.tsa.gov, including a list of frequently asked questions."

    May 05, 2007
    * Missing TSA Hard Drive Has Data on 100,000 Employees

    Press release, May 4, 2007: "Yesterday the Transportation Security Administration (TSA) became aware of a potential data security incident involving approximately 100,000 archived employment records of individuals employed by the agency from January 2002 until August 2005. An external hard drive containing personnel data (including name, social security number, date of birth, payroll information, bank account and routing information) was discovered missing from a controlled area at the TSA Headquarters Office of Human Capital. It is unclear at this stage whether the device is still within headquarters or was stolen. TSA immediately reported the incident to senior DHS and law enforcement officials and launched an investigation. TSA is treating this incident as a criminal matter and has asked the FBI to investigate. The U.S. Secret Service is also assisting in the forensic review of equipment and facilities. TSA is cooperating fully." [Wired Blog]

  • Reminder: the Privacy Rights Clearinghouse maintains A Chronology of Data Breaches, January 2005-present, with information including: date the incident was made public, the name/location, the type of breach, and the number of records per incident.
  • May 03, 2007
    * Senate Committee Hearing Examines Extremists' Use of the Internet

    Senate Committee on Homeland Security and Governmental Affairs hearing on The Internet: A Portal to Violent Islamist Extremism, May 3, 2007.

    Prepared testimony submitted for this hearing:

  • "The Internet: A Portal to Violent Islamist Extremism", Testimony of Frank J. Cilluffo, Director, Homeland Security Policy Institute - "I am pleased to be here today to share the findings and recommendations of our report, NETworked Radicalization: A Counter-Strategy (34 pages, PDF). This report was developed by the Task Force on Internet-Facilitated Radicalization, which was convened under the leadership of The George Washington University’s Homeland Security Policy..."

  • Michael S. Doran [View PDF], Deputy Assistant Secretary of Defense for Support for Public Diplomacy, U.S. Department of Defense

  • Lieutenant Colonel Joseph H. Felter [View PDF], Director, Combat Terrorism Center, U.S. Military Academy
  • May 02, 2007
    * House Judiciary Committee Sends Four Crime Bills to the House Floor

    Press release: "Today, the House Judiciary Committee approved four crime bills and sent them to the House floor for consideration. The bills were: HR 1700, the "COPS Improvement Act of 2007;" HR 916, the "John R. Justice Prosecutors and Defenders Incentive Act of 2007;" HR 1525, the "Internet Spyware Prevention Act of 2007;" and, HR 1615, the "Securing Aircraft Cockpits Against Lasers Act."

    May 01, 2007
    * Committee Letter Questions Security of DHS Networks

    Press release: "Today, Committee on Homeland Security Chairman Bennie G. Thompson (D-MS) joined committee members in a letter to Department of Homeland Security Chief Information Officer Scott Charbo requesting information about the security of the Department’s networks. The letter follows up on a recent cybersecurity hearing, where members learned about the widespread hacking of government networks at the Departments of State and Commerce. The letter...poses 13 questions for response."

    April 30, 2007
    * New GAO Reports Cover Defense Acquisitions, Immigration Benefits, ID Theft and More

  • Bureau of Justice Statistics: Quality Guidelines Generally Followed for Police-Public Contact Surveys, but Opportunities Exist to Help Assure Agency Independence GAO-07-340, March 30, 2007

  • Defense Acquisitions: Missile Defense Agency's Flexibility Reduces Transparency of Program Cost GAO-07-799T, April 30, 2007

  • Defense Management: High-Level Leadership Commitment and Actions Are Needed to Address Corrosion Issues GAO-07-618, April 30, 2007

  • DOD and VA Outpatient Pharmacy Data: Computable Data Are Exchanged for Some Shared Patients, but Additional Steps Could Facilitate Exchanging These Data for All Shared Patients GAO-07-554R, April 30, 2007

  • Employer-Sponsored Health and Retirement Benefits: Efforts to Control Employer Costs and the Implications for Workers GAO-07-355, March 30, 2007

  • Immigration Benefits: Sixteenth Report Required by the Haitian Refugee Immigration Fairness Act of 1998 GAO-07-796R, April 27, 2007

  • Information Technology: Immigration and Customs Enforcement Needs to Fully Address Significant Infrastructure Modernization Program Management Weaknesses GAO-07-565, April 27, 2007

  • Medicaid Financing: Federal Oversight Initiative Is Consistent with Medicaid Payment Principles but Needs Greater Transparency GAO-07-214, March 30, 2007

  • Medicare: Focus on Physician Practice Patterns Can Lead to Greater Program Efficiency GAO-07-307, April 30, 2007

  • Nursing Workforce: HHS Needs Methodology to Identify Facilities with a Critical Shortage of Nurses GAO-07-492R, April 30, 2007

  • Privacy: Lessons Learned about Data Breach Notification GAO-07-657, April 30, 2007

  • Transportation Security: DHS Efforts to Eliminate Redundant Background Check Investigations GAO-07-756, April 26, 2007
  • April 23, 2007
    * President’s Identity Theft Task Force Releases Comprehensive Strategic Plan to Combat Identity Theft

    Press release: "Attorney General Alberto R. Gonzales and Federal Trade Commission Chairman Deborah Platt Majoras today announced the completion of the President’s Identity Theft Task Force strategic plan to combat identity theft. The strategic plan is the result of an unprecedented federal effort to formulate a comprehensive and fully coordinated plan to attack this widespread and destructive crime. The plan focuses on ways to improve the effectiveness of criminal prosecutions of identity theft; enhance data protection for sensitive consumer information maintained by the public sector, private sector, and consumers; provide more comprehensive and effective guidance for consumers and the business community; and improve recovery and assistance for consumers."

    Related Documents:
    Combating Identity Theft: A Strategic Plan, Final recommendations released April 23, 2007

  • Strategic Plan [PDF]

  • Volume II: Supplemental Information [PDF]
    Consumer Information:
  • Identity Theft Task Force Website

  • April 20, 2007
    * UK Consumers Not Risk Averse When Using Online Services According to New Report

    Press release: "UK consumers are not as risk-averse when it comes to using online services as previously thought, according to recent research conducted by BT. Despite daily warnings about security threats and cyber-criminals, people are willing to take risks online, as long as they feel informed, and it is clear how consequences will be addressed. According to the findings from the Trustguide report, which was a collaborative research project by BT with support from the DTI, people use specific online services not because they trust them, but because they believe the benefits outweigh the risks. Government and private industry must therefore take responsibility for educating and reassuring the public that safeguards are in place, if they are to succeed with e-Government and e-Commerce initiatives..Based on the research, the Trustguide report outlines a set of guidelines to inform policy making and service development for ICT delivered services. In addition to enabling better-informed decision-making through education, and advising users of restitution and guarantee measures should something go wrong, the report highlights the need for greater honesty and transparency of data usage by service providers.

  • Trustguide Final Report, October 2006, by Hazel Lacohée, principal researcher at BT Group’s Chief Technology Office, and Andy Phippen, lecturer in socio-technical studies, University of Plymouth. (101 pages, PDF)
  • April 19, 2007
    * Phishing Activity Trends for February 2007

    Anti-Phishing Working Group (APWG), Phishing Activity Trends for February 2007 (8 pages, PDF)

  • "The number of phishing reports received by the Anti-Phishing Working Group (APWG) came to 23,610 in February, a drop of over 6,000 from January’s previous record high of 29,930. ► For the first time ever recorded by the APWG, the United States of America has been surpassed as the top national jurisdiction for the hosting of crimeware-spreading websites. China has moved into the top spot with 46.44% of such sites in February and USA dropping to second place with 39.24%. ► The APWG saw a total of 135 brands being hijacked in February. That month saw a continuation of the January trend with many types of websites historically not typically targeted for phishing scams - such as social network portals and gambling sites - being spoofed. APWG notes that fewer brokerages were attacked in February than in January. However, more banks, credit unions and a large number of international banks and brands were spoofed. The number of unique websites hosting keyloggers reached an all time high in February with 3,121, up from 1,750 in January and eclipsing the previous record of 2,945 websites hosting keyloggers recorded in June, 2006."
  • April 11, 2007
    * Corporate Data Loss Cost Calculator

    Tech//404® Data Loss Cost Calculator: "Data loss resulting from network security breaches and identity theft has become a regular occurrence. While the number of affected records can vary widely in any given data loss scenario, a recent study by the Ponemon Institute found that the average number was roughly 99,000. For recent examples and media reports, visit the data loss archive. Darwin created the Tech//404® data loss cost calculator as a tool to demonstrate the scope of negative financial impact an organization may face as a result of a data breach or identity theft data loss scenario. The calculator will automatically generate an average cost, and a plus/minus 20% range, for expenses associated with internal investigation, notification/crisis management and regulatory/compliance if the incident were to give rise to a class action claim."

    March 26, 2007
    * Identity and Security: Moving Beyond the 9/11 Staff Report on Identity Document Security

    Press release: "Former 9/11 Commission counsel Janice Kephart announces the launch of an online Identity Document Security Library, consisting of legal, technical and policy pieces regarding identity document security. Kephart, a nationally recognized border security expert, created the library to serve as a 'one-stop-shop' information portal for those seeking objective, credible information on the issue of identity document security...The issue of identity, and information about identity, underlies the 9/11 Commission's border work, whose recommendations included the creation of minimum standards for state-issued driver licenses and IDs. Kephart's recently issued white paper, Identity and Security: Moving Beyond the 9/11 Staff Report on Identity Document Security, maintains that securing identities and identity documents is perhaps the single most effective measure the United States can take to lay a foundation for national and economic security and public safety."

    March 22, 2007
    * Symantec's 11th Internet Security Threat Report

    "The Symantec Internet Security Threat Report offers analysis and discussion of threat activity over a six-month period. It covers Internet attacks, vulnerabilities, malicious code, phishing, spam and security risks as well as future trends. The eleventh version of the report, released March 19, 2007, is now available."

  • Symantec Internet Security Threat Report, Volume XI: March 2007 (Trends for July - Dec 06 (104 pages, PDF)

  • Key Findings of the Internet Security Threat Report, Volume XI: March 2007 (22 pages, PDF
  • March 21, 2007
    * FTC Testifies on Identity Theft and Social Security Numbers

    Press release: "The Federal Trade Commission today told the Senate Judiciary Committee Subcommittee on Terrorism, Technology, and Homeland Security that “the government and the private sector must continue to work together to reduce the opportunities for thieves to obtain consumers’ personal information and make it more difficult for thieves to misuse that information if they obtain it.” Lydia Parnes, Director of the FTC’s Bureau of Consumer Protection, said government and the business community should evaluate whether they need to collect and maintain the data they have about consumers, better-protect the data that they do possess, and develop better ways to authenticate customers to keep identity thieves from using the information they steal."

  • Prepared Statement of the Federal Trade Commission On Identity Theft: Innovative Solutions For An Evolving Problem, Presented by Lydia Parnes, Director, Bureau of Consumer Protection, Before the Subcommittee On Terrorism, Technology and Homeland Security of the Senate Committee on the Judiciary, United States Senate, March 21, 2007
  • March 18, 2007
    * University of Washington Report on Data Breaches Faults Companies for Organizational Mismanagement

    Press release: "If Assistant Professor of Communication at the University of Washington Phil Howard's calculations prove true, by year's end the 2 billionth personal record -- some American's social-security or credit-card number, academic grades or medical history -- will become compromised, and it's corporate America, not rogue hackers, who are primarily to blame. By his reckoning, electronic records in the United States are bleeding at the rate of 6 million a month in 2007, up some 200,000 a month from last year."

  • The World Information Access Project Report for 2007 will be available here
  • March 16, 2007
    * 2006 Annual Report Issued by Internet Crime Complaint Center

    Press release: "The FBI’s Internet Crime Complaint Center (IC3) today released its annual Internet Fraud Crime Report. From January 1 through December 31, 2006, the center received 207,492 complaint submissions. These filings were composed of fraudulent and non-fraudulent complaints primarily related to the Internet and included many different fraud types to include auction fraud, non-delivery, and credit/debit card fraud, as well as non-fraudulent complaints, such as computer intrusions, spam/unsolicited email..."

  • Report summary and highlights

  • e Internet Crime Complaint Center (IC3) is a joint project of the FBI and the National White Collar Crime Center. The entire 2006 Internet Fraud Crime Report, PDF
  • March 09, 2007
    * National Computer Forensic Institute Unveiled

    Press release: "The U.S. Department of Homeland Security and Alabama state officials unveiled today the National Computer Forensic Institute in Hoover, Ala., that will assist in the field of computer forensics and digital evidence analysis. The institute will be developed by the U.S Secret Service and is partially funded by the department’s National Cyber Security Division. It will serve as a national cyber crimes training facility where state and local police officers, as well as prosecutors and judges, will be offered training and equipment."

    March 08, 2007
    * SEC Suspends Trading Of 35 Companies Touted In Spam Email Campaigns

    SEC press release: "The Securities and Exchange Commission this morning suspended trading in the securities of 35 companies that have been the subject of recent and repeated spam email campaigns (see examples). The trading suspensions - the most ever aimed at spammed companies - were ordered because of questions regarding the adequacy and accuracy of information about the companies. The trading suspensions are part of a stepped-up SEC effort - code named "Operation Spamalot" - to protect investors from potentially fraudulent spam email hyping small company stocks with phrases like, "Ready to Explode," "Ride the Bull," and "Fast Money." It's estimated that 100 million of these spam messages are sent every week, triggering dramatic spikes in share price and trading volume before the spamming stops and investors lose their money."

    March 07, 2007
    * FBI Releases Annual Report to the Public

    Press release: "The arm of the FBI that investigates financial crimes ranging from underground pyramid schemes to institutionalized fraud in the nation’s corporate suites has issued its annual report detailing the most prevalent types of schemes investigators tackled in 2006. The Financial Crimes Report to the Public is prepared each year by the Financial Crimes Section of the FBI's Criminal Investigative Division. The report, which covers a 12-month period ending September 30, 2006, explains in detail dozens of fraud schemes, tallies FBI accomplishments combating the crimes, and offers tips the public can use to protect itself."

  • Financial Crimes Report to the Public Fiscal Year 2006, October 1, 2005 - September 30, 2006 - Table of Contents
  • March 05, 2007
    * USPTO Report Finds Inadvertent Filesharing Threatens Personal, Government and Corporate Data

    Press release: "...the Department of Commerce's United States Patent and Trademark Office (USPTO) released a report that concludes that the distributors of five popular filesharing programs repeatedly deployed features that they knew or should have known could cause users to share files inadvertently. The report, Filesharing Programs and "Technological Features to Induce Users to Share, identifies five features in recent versions of five popular filesharing programs that could cause users to inadvertently distribute to others downloaded files or their own proprietary or sensitive files. "Computer programs that can cause unintended filesharing contribute to copyright infringement, and they threaten the security of personal, corporate, and governmental data," noted Jon Dudas, under secretary of commerce for intellectual property-the Bush Administration's point person on copyright policy."

    March 03, 2007
    February 21, 2007
    * FTC To Host Identity Authentication Workshop

    "On April 23 and 24, 2007, the Federal Trade Commission will host a public workshop, Proof Positive: New Directions in ID Authentication, to explore methods to reduce identity theft through enhanced authentication. The workshop will facilitate a discussion among public-sector, private-sector, and consumer representatives, and will focus on technological and policy requirements for developing better authentication processes, including the incorporation of privacy standards and consideration of consumer usability issues."

    February 13, 2007
    * New Report Identifies ID Theft Rates By Geographic Area

    Findings from a new study by ID Analytics, reported by ComputerWeek, indicate that "....the riskiest states for ID theft are New York, California, Nevada and Arizona, while the safest ones are Wyoming, Vermont, Montana and North Dakota. The riskiest 5-digit zip codes for ID theft -- after Floral Park and Faulkton -- are Old Bethpage, N.Y., New York City and Manhasset, N.Y."

    February 08, 2007
    * FBI Launches E-Mail Alerts on Public Website

    "The Federal Bureau of Investigation (FBI) has launched a service that sends out electronic mail (e-mail) alerts when new and vital information is posted on the FBI.gov Web site. Subscribers select which topics that they want updates on, such as new electronic scams (e-scams) and warnings, most wanted terrorists, top ten fugitives, and local and national press releases. The alerts are transmitted as soon as updates are posted to the FBI's Web site or published in their daily, weekly, or monthly digests. The FBI views this service as a means of furthering American citizens' safety by keeping them informed. No personal information is required to sign up for this service, just an e-mail address to where the alerts will be sent. To sign up for the service please visit the www.FBI.gov."

    February 07, 2007
    * FTC Issues Annual List of Top Consumer Complaints

    Press release: "The Federal Trade Commission today issued its annual report, “Consumer Fraud and Identity Theft Complaint Data” on complaints consumers have filed with the agency. For the seventh year in a row, identity theft tops the list, accounting for 36 percent of the 674,354 complaints received between January 1 and December 31, 2006. Other categories near the top of the complaint list include shop-at-home/catalog sales; prizes, sweepstakes and lotteries; Internet services and computer complaints; and Internet auction fraud."

  • Consumer Fraud and Identity Theft Complaint Data
    January - December 2006

  • State Specific Releases
  • February 06, 2007
    * New York State CIO Issues IT Trust Model Best Practice Guidelines

    New York State Office of the CIO: "Identity and Access Management (IAM) provides an effective way to protect computer-based services and data for all state and local agencies from unauthorized access. Organizational business requirements often result in the need to grant external users access to services and data or to achieve multi-organizational system interoperability. Demand has become more prevalent due to legislative mandates and increasing connectivity offered by public and private networks. Issuing the NYS Trust Model as a best practice guideline (G07-001) is the first step in establishing a long term Identity and Access Management (IAM) strategy for the state enterprise. The NYS Trust Model establishes basic standards and processes that govern how identity credentials are issued, protected and managed."

  • NYS Trust Model Best Practice Guideline, issued January 5, 2007
  • February 05, 2007
    * DOE OIG Report on Data Breach at National Nuclear Security Administration Plant

    Inspection Letter Report, Alleged Loss or Theft of Personally Identifiable Information at Pantex, February 2, 2007.

    * Study on Website Authentication Shows Users Often Disregard Security Measures

    The Emperor's New Security Indicators, An evaluation of website authentication and the effect of role playing on usability studies, working draft released February 4, 2007. Authors: Stuart E. Schechter (MIT), Rachna Dhamija (Harvard), Andy Ozmet (MIT), Ian Fischer (Harvard).

    February 02, 2007
    * 2007 Identity Fraud Survey Report

    "The Javelin 2007 Identity Fraud Survey Report provides a detailed, comprehensive analysis of identity fraud in the United States, in order to help consumers and businesses better understand the effectiveness of methods used for its prevention, detection and resolution. A nationally representative sample of over 5,000 US adults, including 458 fraud victims, is surveyed via a 44-question phone interview to gain insight into this crime and its effects upon its victims. This report is issued as a longitudinal update to the Javelin 2006 Identity Fraud Survey Report, the Javelin 2005 Identity Fraud Survey Report and the Federal Trade Commission’s (FTC) 2003 Identity Theft Survey Report. Report Preview."

    January 30, 2007
    * National Infrastructure Advisory Council Final Report on Cyber Threats

    Convergence of Physical and Cyber Technologies and Related Security Management Challenges Working Group Final Report and Recommendations (PDF, 42 pages), January 19, 2007 and Transmittal Letter (PDF, 2 pages), January 19, 2007.

    January 29, 2007
    * Cyber Threat Calculator Released for Government Use

    Press release: "The University of New Hampshire Cyber Threat Calculator was unveiled Thursday, January 25, 2007, at the Department of Defense Cyber Crime Conference 2007 in St. Louis, Missouri. The UNH Cyber Threat Calculator was developed by researchers at UNH Justiceworks and students, and offers a new method to identify and quantify the threats posed to the United States' cyber infrastructure."

  • UNH Justiceworks Research and Analysis Group
  • January 26, 2007
    * Anti-Spyware Coalition Releases Best Practices Documents For Public Comment

  • Best Practices Suggestions Document: "Building upon the Definitions and Risk Model documents, the Best Practices document aims to expand past defining what behaviors and consent factors will currently make software potentially unwanted and to focus upon making the marketplace better. This document highlights the sorts of technological behaviors that limit the negative impact of potentially unwanted technologies." Public Comment Draft (January 25, 2007) [HTML|PDF]

  • Conflicts Resolution Document
    Anti-Spyware software, as part of its operation, regularly interfaces with parts of a computer's operating system that control specific and low-level pieces of architechture. Multiple pieces of software all attempting to operate on the same low-level controls can cause conflicts. This document is intended to provide voluntary guidelines within the Anti-Spyware industry to assist in avoiding and resolving conflicts between suites of Anti-Spyware software and to better serve consumers. Public Comment Draft (January 25, 2007) [HTML|PDF]
  • January 17, 2007
    January 16, 2007
    * Investigations Involving the Internet and Computer Networks

    "This National Institute of Justice Special Report is intended as a resource for individuals responsible for investigations involving the use of the Internet and other computer networks. Any crime could involve devices that communicate through the Internet or through a network. Criminals may use the Internet for numerous reasons, including trading/sharing information (e.g., documents, photographs), concealing their identity, and gathering information on victims."

  • Investigations Involving the Internet and Computer Networks, by National Institute of Justice, January 2007 (NCJ 210798)
  • January 11, 2007
    * FBI Investigating UCLA Data Breach

    Press release: "The FBI in Los Angeles announced it opened an investigation to determine who hacked into a restricted database at the University of California at Los Angeles (UCLA) that held the names and personal information of some 800,000 students, faculty, and alumni. Anyone who thought they had been further victimized as a result of the breach was encouraged to contact the Internet Crime Complaint Center (IC3)."

    January 10, 2007
    * Senator Feinstein Reintroduces Bills Aimed At Thwarting ID Theft

    Press release: "U.S. Senator Dianne Feinstein (D-Calif.) today reintroduced two bills [Notification of Risk to Personal Data Act and the Social Security Number Misuse Prevention Act] aimed at protecting individuals from identity theft by requiring businesses to notify consumers in the event of a security breach and prohibiting the sale or display of an individual’s Social Security number without his or her consent. Senator Feinstein said that the increased frequency of data breaches demonstrates that the legislation is needed sooner rather than later. Major data breaches have occurred in recent months at Boeing, UCLA, the Colorado Department of Human Services, Starbucks, the Chicago Voters' Database, and Akron Children's Hospital."

    * Cisco Announces Agreement to Acquire IronPort

    Press release, January 4, 2007: "Cisco today announced a definitive agreement to acquire the privately held company, IronPort Systems, Inc. of San Bruno, Calif. IronPort is a leading provider of messaging security appliances, focusing on enterprise spam and spyware protection."
    Related news:

  • News.com - "Cisco Systems' purchase of e-mail security specialist IronPort Systems is another sign that big-name vendors are taking over the spam fight, analysts say."

  • Press release: "RSA, The Security Division of EMC, announced today that its 24x7 Anti-Fraud Command Center (AFCC) has uncovered a new phishing kit being sold and used online by fraudsters. This new kit, a Universal Man-in-the-Middle Phishing Kit, is designed to facilitate new and sophisticated attacks against global organizations in which the victims communicate with a legitimate web site via a fraudulent URL set by the fraudster. This allows the fraudster to capture victims' personal information in real-time."
  • December 26, 2006
    December 20, 2006
    * NH AG Announces Security Freeze Available on January 1, 2007

    Press release: "Attorney General Kelly Ayotte announced today that if you live in New Hampshire, effective January 1, 2007 you will have the right to put a "security freeze" on your credit file. A security freeze means that your file cannot be shared with potential creditors. A security freeze can help prevent identity theft. Most businesses will not open credit accounts without first checking a consumer's credit history. If your credit files are frozen, even someone who has your name and Social Security number would probably not be able to get credit in your name. The security freeze legislation passed in the 2006 legislative session....A security freeze fact sheet, including step by step instructions on how to place a security freeze, is available here."

    December 13, 2006
    * Gartner Releases 10 IT Predictions for 2007 and Beyond

    Press release: Among the predicitions, is the following - "Blogging and community contributors will peak in the first half of 2007. Given the trend in the average life span of a blogger and the current growth rate of blogs, there are already more than 200 million ex-bloggers. Consequently, the peak number of bloggers will be around 100 million at some point in the first half of 2007."

    November 30, 2006
    * Guide to Securing Your IT Infrastructure

    From Bank System and Technology:

  • The Top 10 Information Security Myths - "If you buy into all of these commonly held beliefs, you'd better believe your data is at risk. We separate the facts from fiction."

  • Top 10 Most Overlooked Aspects of IT Security
  • November 29, 2006
    * New EU Communication on Spam

    Press release: "The Commission today called on all regulatory authorities and stakeholders in Europe to step up the fight against spam, spyware and malicious software. Despite existing EU legislation to outlaw spam in Europe, Europe continues to suffer from illegal online activities from inside the EU and from third countries, the Commission underlines in a new Communication. The Communication stresses that although internet safety is on the political agenda for some time, national authorities should step up their actions to prosecute illegal online activities."

  • Related press release: "Sophos, a world leader in IT security, has published its latest report on the top twelve spam relaying countries over the third quarter of 2006. Sophos experts believe that a possible reason for America's increasing lead in relayed spam when compared to its closest rival, China, is the emergence of over 300 strains of the mass-spammed Stratio worm."
  • * DOE IG Memo On Security Problems at Los Alamos

    Audit Report - Secretary of Energy From DOE Inspector General Gregory Friedman, Selected Controls over Classified Information at the Los Alamos National Laboratory, November 27, 2006.

    November 28, 2006
    * DOT Status Report on OIG Data Security

    Status Report on OIG Data Security via the Data Security Portal: "Our November 21, 2006, status report notes several important developments, including the fact that as a result of our investigation in cooperation with the Federal Bureau of Investigation and the Miami-Dade County Police Department, two individuals have been arrested for their alleged roles in a small Miami-area laptop theft ring. While the OIG's laptops have not been recovered, there has been no credit fraud resulting from the laptop thefts and we believe that the risk of credit fraud in the future is very low. A firm hired to perform data breach analysis has failed to find any misuse of information on the laptops, and will continue to analyze the information..."

    November 20, 2006
    * GAO Report On Need for Agency Policies to Test Information Security

    Information Security: Agencies Need to Develop and Implement Adequate Policies for Periodic Testing. Full text, GAO-07-65, and Highlights, October 20, 2006.

    * Spamhaus List of World's Top 10 Spammers

    "Up to 80% of spam targetted at Internet users in North America and Europe is generated by a hard-core group of around 200 known professional spam gangs whose names, aliases and operations are documented in Spamhaus' Register Of Known Spam Operations (ROKSO) database. This TOP 10 chart of ROKSO-listed spammers is based on those Spamhaus views as the highest threat, the worst of the career spammers causing the most damage on the Internet currently. Spamhaus flags these as a priority for Law Enforcement Agencies."

    November 17, 2006
    November 16, 2006
    * Symantec Phish Report Network Opens to Consumers Worldwide

    Press release: "Symantec Corp...announced the opening of the Symantec Phish Report Network to consumers worldwide. As one of the world's leading antifraud communities, the Symantec Phish Report Network, launched in May 2006, allows member companies to contribute and receive fraudulent Web site addresses that they can use in their antiphishing solutions to help protect users from online fraud. Consumer input further helps the Symantec Phish Report Network's fight against online fraud and will aid in preventing other computers users from becoming victims."

  • See also "PhishTank...a free community site where anyone can submit, verify, track and share phishing data."
  • November 12, 2006
    * ChoicePoint Redux: Restoring Reputation and Brand

    Follow up to previous postings on ChoicePoint and data breaches, today's New York Times article, Keeping Your Enemies Close, provides a chronology of how the company has made inroads in rehabilitating its reputation.

  • See also Who will speak for customer? by David Lazarus, Wednesday, November 1, 2006
  • November 07, 2006
    * Study Reveals One in 10 Respond to Fraudulent 'Phishing' Messages

    Will Knight at New Scientist reports the research by Professor Markus Jakobsson and grad student Jacob Ratkiewicz, Indiana University, indicates "...one in 10 internet users may be lured into handing over sensitive personal information such as a credit card number, by fraudulent "phishing" emails..." and "that some survey participants may not have realised that they have been stung by a phishing scam, or may simply be too embarrassed to admit to it."

  • Designing Ethical Phishing Experiments: A study of (ROT13) rOnl query features

  • See also Alex Tsow, Markus Jakobsson, Liu Yang, Susanne Wetzel.
    Warkitting: the Drive-by Subversion of Wireless Home Routers. Anti-Phishing and Online Fraud, Part II Journal of Digital Forensic Practice, Volume 1, Special Issue 3, November 2006
  • November 02, 2006
    * New Air Force Cyberspace Command

    Press release: "The aim is to develop a major command that stands alongside Air Force Space Command and Air Combat Command as the provider of forces that the President, combatant commanders and the American people can rely on for preserving the freedom of access and commerce, in air, space and now cyberspace," said Secretary of the Air Force Michael W. Wynne.

    October 27, 2006
    * Symantec Releases New Internet Security Threat Report

    "The Symantec Internet Security Threat Report offers analysis and discussion of threat activity over a six-month period. It covers Internet attacks, vulnerabilities, malicious code, phishing, spam, security risks, and future trends. The tenth version of the report, released September 25, is now available."

  • Symantec Internet Security Threat Report Volume X: September 2006 (120 pages, PDF)
  • October 13, 2006
    * Committee Report Finds Data Breaches Throughout Federal Government

    Press release: "In a report released today, Reps. Davis and Waxman summarize information provided to the Committee by 19 federal departments and agencies regarding the loss or compromise of personal information since January 2003. The report finds that every agency has experienced at least one such breach and that the agencies do not always know what information has been lost or how many individuals could be affected."

    Key Conclusions:

  • 1. Data loss is a government-wide occurrence.
  • 2. Agencies do not always know what has been lost.

  • 3. Physical security of data is essential.

  • 4. Contractors are responsible for many of the reported breaches.

  • October 13, 2006 - Staff Report Agency Data Breaches Since January 1, 2003

  • Agency Response Letters Part One

  • Agency Response Letters Part Two

  • Related postings on ID theft and cybercrime

  • OMB issued a memorandum of Recommendations for Identity Theft Related Data Breach Notification, from Clay Johnson, Deputy Director for Management, September 22, 2006

  • October 12, 2006
    * CMO Council Survey on ID Theft Tracks Growing Consumer Concern

    Press release, October 4, 2006: "As information security concerns among consumers and other customer constituencies rise, just 29 percent of marketers say that their firm has a crisis containment plan in case of a security breach, according to findings of a major research initiative by the Chief Marketing Officer (CMO) Council. Without such a plan and other security strategies in place, companies are at risk of losing hundreds of million of dollars in market value and loss of reputation and brand trust, according to the study's findings."

  • The CMO Council's full report is available for purchase, and an 18 page PDF version as follows: Secure the Trust of Your Brand - Assessing the Mindset of Consumers, 2006.
  • October 11, 2006
    * New Coalition Website Takes Aim Against Cybercrime

    Launched today, the Take a Byte Out of Cybercrime website: "Led by the beloved McGruff character, the National Crime Prevention Council, the CMO Council and FAME have joined forces to bring together one of the largest and most influential coalitions of private and public companies whose primary goal is to teach millions of consumers how to identify, report and protect themselves against cyber crime." [download the tip sheets]

    * UK Targeted in Computer Data Theft

    Press release: "The Metropolitan Police Computer Crime Unit is investigating data recovered from a computer in the United States that was found to contain personal information from hacked computers located in the United Kingdom. We believe the data has been stolen by the use of a computer virus and it is believed more than 2,300 compromised computers in the UK consisting of 83,000 files have been targeted."

    October 09, 2006
    * DHS OIG Audit of Agency Laptop Security

    (U) Office of Inspector General Laptop Computers are Susceptible to Compromise (Unclassified and Redacted) OIG-06-58 (PDF, 48 pages), released October 2, 2006.

    September 29, 2006
    * U.S. Becomes Party to Council of Europe Convention on Cybercrime

    Press release: "On September 22, 2006, the President signed the United States' instrument of ratification for the Council of Europe Convention on Cybercrime. Today, the United States became a party to the Convention upon deposit of the instrument of ratification at the headquarters of the Council of Europe in Strasbourg, France. The Convention will enter into force for the United States on January 1, 2007. The Convention entered into force on July 1, 2004. As of September 27, 2006, there were 43 Signatories and 15 Parties to the Convention."

  • The text of the Convention
  • September 28, 2006
    * Frank Asks FTC and Credit Bureaus to Respond to Consumer Complaints

    Press release: "Congressman Barney Frank yesterday wrote to the Chairman of the Federal Trade Commission (FTC) and representatives of the credit reporting industry asking that they look into the numerous complaints from consumers about access to credit reports and fraud alerts." [text of letter is included in this release]

    September 25, 2006
    * Pew Internet Project Releases Second Report on Future of the Internet

    "A survey of internet leaders, activists, and analysts shows that a majority agree with predictions that by 2020 [Link to The Future of the Internet II (115 pages, PDF)]:

  • A low-cost global network will be thriving and creating new opportunities in a “flattening” world.

  • Humans will remain in charge of technology, even as more activity is automated and “smart agents” proliferate. However, a significant 42% of survey respondents were pessimistic about humans’ ability to control the technology in the future. This significant majority agreed that dangers and dependencies will grow beyond our ability to stay in charge of technology. This was one of the major surprises in the survey.

  • Virtual reality will be compelling enough to enhance worker productivity and also spawn new addiction problems.

  • Tech “refuseniks” will emerge as a cultural group characterized by their choice to live off the network. Some will do this as a benign way to limit information overload, while others will commit acts of violence and terror against technology-inspired change.
  • People will wittingly and unwittingly disclose more about themselves, gaining some benefits in the process even as they lose some privacy.

  • English will be a universal language of global communications, but other languages will not be displaced. Indeed, many felt other languages such as Mandarin, would grow in prominence."
  • September 14, 2006
    * DOD OIG Audit of Information Assurance Weaknesses

    Department of Defense Office of the Inspector General -- Audit Summary of Information Assurance Weaknesses Found in Audit Reports Issued from August 1, 2005, through July 31, 2006 - Report No. D-2006-110 (PDF) - Date: September 14, 2006.

  • "This report summarizes information assurance weaknesses that the Government Accountability Office, the DoD Office of the Inspector General, the Army Audit Agency, the Naval Audit Service, and the Air Force Audit Agency reported between August 1, 2005, and July 31, 2006. It supports the Federal Information Security Management Act of 2002, which requires agencies submit to the Office of Management and Budget the results of an annual independent evaluation of the effectiveness of their information security programs and practices. The evaluation should include testing of the effectiveness of information security policies, procedures, and practices of a subset of the agency’s information systems and may be based, in whole or in part, on an audit, evaluation, or report relating to agency programs or practices. This report is the eighth information assurance summary report issued by the DoD Office of the Inspector General since January 1999."
  • * Operation Cyber Storm Report Released by DHS

    Press release: "The U.S. Department of Homeland Security (DHS) announced today the release of the Cyber Storm Public Exercise Report. The report details key findings from Cyber Storm which was the largest and most complex multi-national, government-led cyber exercise to examine response, coordination, and recovery mechanisms to a simulated cyber event within international, federal, state, and local governments and in conjunction with the private sector."

  • Fact Sheet: Cyber Storm Exercise

  • Department of Homeland Security, National Cybersecurity Division: Cyber Storm Exercise Report, September 13, 2006 (23 pages, PDF).

  • See also Critical Infrastructure Protection: DHS Leadership Needed to Enhance Cybersecurity, Full text GAO-06-1087T, and Highlights, September 13, 2006 - "DHS faces a number of challenges that have impeded its ability to fulfill its cybersecurity responsibilities, including establishing effective partnerships with stakeholders, demonstrating the value it can provide to private sector infrastructure owners, and reaching consensus on DHS's role in Internet recovery and on when the department should get involved in responding to an Internet disruption."
  • September 07, 2006
    * FTC Settles Against Alleged Spyware Operation

    FTC press release: "An operation that placed spyware on consumers' computers in violation of federal laws will give up more than $2 million to settle Federal Trade Commission charges. Under a stipulated final judgment and order, the defendants are permanently prohibited from interfering with a consumer's computer use, including but not limited to distributing software code that tracks consumers' Internet activity or collects other personal information, changes their preferred homepage or other browser settings, inserts new advertising toolbars or other frames onto their browsers, installs dialer programs, inserts advertising hyperlinks into third-party Web pages, or installs other advertising software code, file, or content on consumers' computers."

    September 04, 2006
    * Guide to Collecting Evidence from a Running Computer

    SEARCH, The National Consortium for Justice Information and Statistics - Collecting Evidence from a Running Computer: A Technical and Legal Primer for the Justice Community, August 2006.

    * Researchers Announce "Phoolproof Phishing Prevention"

    Press release: Carnegie Mellon CyLab researchers create new system to address phishing fraud [ZDNet]

  • Phoolproof Phishing Prevention - Bryan Parno, Cynthia Kuo, Adrian Perrig: "Phishing attacks exploit a user’s inability to distinguish legitimate websites from spoofed websites. Unfortunately, humans are ill-suited for performing the security checks necessary for secure site identification. Phoolproof Phishing Prevention uses a trusted device to perform mutual authentication that eliminates reliance on perfect user behavior, thwarts Man-in-the-Middle attacks after setup, and protects a user’s account even in the presence of keyloggers and most forms of spyware."
  • August 25, 2006
    * June Phishing Trends Report Available

    From the Antiphishing Working Group, the June Phishing Activity Trends Report.

    August 16, 2006
    * Prosecutors in State Courts, 2005

    Bureau of Justice Statistics, Prosecutors in State Courts, 2005: "Presents findings from the 2005 National Survey of Prosecutors, the latest in a series of data collections about the Nation's 2,300 State court prosecutors’ offices that tried felony cases in State courts of general jurisdiction. This study provides information on the number of staff, annual budget, and felony cases closed for each office. Information is also available on the use of DNA evidence, computer-related crimes, and terrorism cases prosecuted. Other survey data include special categories of felony offenses prosecuted, types of non-felony cases handled, number of felony convictions, number of juvenile cases proceeded against in criminal court, and work-related threats or assaults against office staff."

    * Washington AG Sues Companies for Violation of Anti-Spyware Law

    Press release, August 14, 2006: "Washington State Attorney General Rob McKenna... announced the filing of Washington's second lawsuit under the state's computer spyware act. The state's suit accuses four California-based corporations of installing software that takes control of a consumer's computer by launching aggressive and persistent pop-ups that demand payment for a movie download service."

  • Copy of the Movieland Complaint, (22 pages, PDF)


  • Related news and government documents:
  • April 18, 2006 press release: McKenna Announces Oregon Man to Pay Under Washington Spyware Law - $84,000 settlement first in state's Spyware Cleaner case

  • 2005 State Legislation Relating to Internet Spyware or Adware

  • 2006 State Legislation Relating to Internet Spyware or Adware

  • August 15, 2006
    * New National Survey on Enterprise Data Security Risks

    Ponemon Institute Releases National Survey on Confidential Data at Risk

  • "Stored data presents unique challenges for enterprise security, and the U.S. Survey: Confidential Data at Risk is a first-of-its-kind study on the topic. Derived from a national sampling of nearly 500 experienced information security practitioners, the survey reveals a number of key findings, including: 81 percent of companies surveyed reported the loss of one or more laptop computers containing sensitive information during the previous 12 months."
  • * FDIC Issues New Consumer Phishing Alert

    Consumer Alert: New Phishing Attack Claims to be FDIC

  • "The FDIC is aware of a phishing e-mail that has the appearance of being sent from the FDIC. The name "Federal Deposit Insurance Corporation" appears on the "From" line and the subject is, "IMPORTANT: Notification of Federal Deposit Insurance Corporation." This e-mail claims that the FDIC has received an application from the receipt's bank to insure their checking or savings account against fraud, phishing and identity theft. The e-mail further instructs the recipient to enroll in "the FDIC protection system" by clicking on a link to a spoofed FDIC Web page."
  • August 10, 2006
    * Federal ID Theft Legislation Delayed in Favor of State and Industry Efforts

    Industry, Government Fret Over Tactics for Fighting Data Theft, by Marcia Coyle, The National Law Journal, August 10, 2006.

    August 07, 2006
    * StopBadware.org Begins Issuing Warnings to Google Users

    StopBadware.org Blog: "We're entering a new phase here at StopBadware.org. Google—which is one of our partners—will present people with a warning before they visit websites that have been reported to StopBadware.org as sites that distribute badware. These warnings currently link to a general page on StopBadware.org, but as we finish researching sites, we'll replace the general page with one of our individual website reports (see an example here). Hopefully this next step will bring us that much closer to fulfilling our mission of providing people with reliable, objective information about downloadable applications in order to help them make better choices."

    August 04, 2006
    * Passage of the Cybercrime Convention

    Statement of Attorney General Alberto R. Gonzales on the Passage of the Cybercrime Convention, August 6, 2006: "The Cybercrime Convention - the first of its kind - will be a key tool for the United States in fighting global, information-age crime. This treaty provides important tools in the battles against terrorism, attacks on computer networks, and the sexual exploitation of children over the Internet, by strengthening U.S. cooperation with foreign countries in obtaining electronic evidence. The Convention is in full accord with all U.S. constitutional protections, such as free speech and other civil liberties, and will require no change to U.S. laws."

  • Convention on Cybercrime

  • Convention on Cybercrime - CETS No.: 185, Status as of August 4, 2006 - Treaty open for signature by the member States and the non-member States which have participated in its elaboration and for accession by other non-member States.

  • Senate ratifies controversial cybercrime treaty
  • * Special Report on Department of Defense's Cyber Crime Center

    Special Report | Computer forensics: The new DNA

    August 03, 2006
    * Small Business Information Security Act of 2006

    Press release: "Senator Olympia J. Snowe (R-ME), Chair of the Senate Committee on Small Business and Entrepreneurship, today introduced the "Small Business Information Security Act of 2006," (S. 3786) legislation that will create the "Small Business Information Security Task Force" within the Small Business Administration to help small businesses both understand the information security challenges they face and identify resources to help meet those challenges."

    July 30, 2006
    * AARP Research Report on Security Breaches and Identity Theft

    Into the Breach: Security Breaches and Identity Theft/Research Report
    July 2006
    — "Security breaches of data files can lead to identity theft. In this AARP Public Policy Institute Data Digest, Neal Walters analyzes 244 breaches between January 1, 2005 and May 26, 2006, and finds that 40 percent were caused by hackers or insider access targeting sensitive personal information, potentially exposing 50 million individuals’ names and personal data."

    July 29, 2006
    * GSA Alerts Public to Recent E-mail Scheme

    GSA press release: "The U.S. General Services Administration’s (GSA) Office of Citizens Services & Communications is warning the public to avoid falling victim to a recent e-mail scheme that targets users by sending unsolicited e-mails allegedly from FirstGov, the citizen portal operated by GSA. These scam e-mails tell recipients that because of recent fraudulent activities on Money Access Online they need to confirm their account has not been stolen or hacked. The e-mails then direct recipients to click on a link and enter information related to personal credit card accounts."

    July 28, 2006
    * Coalition of Public and Consumer Groups Criticize Proposed Data Breach Legislation

    EPIC: "A data breach notification bill [H.R. 3997] backed by the House Financial Services Committee drew criticisms from state law enforcement officials and a coalition of consumer groups, who said that existing state laws are more effective at protecting consumers. In a letter to House leadership signed by 48 state attorneys general, the National Association of Attorneys General stated that an effective data breach law should preserve strong consumer protections and allow states to enforce data breach laws. Consumer groups said that the Financial Data Protection Act "does nothing positive for consumers and rolls back existing state consumer protection laws."

    July 27, 2006
    * DHS OIG Report on Enhancing Laptop Computer Security

    Improved Administration Can Enhance Science and Technology Laptop Computer Security (Redacted), OIG-06-42 (PDF, 36 Pages), July 27, 2006.

    July 23, 2006
    * MarkMonitor Reports Domain-Based Phishing Attacks Now Represent 73 Percent of All Phishing Scams

    Press release: "According to MarkMonitor's AntiFraud Operations Center™ (AFOC), domain-based phishing attacks now represent 73 percent of all attacks, up from 35 percent just 18 months ago." Related reference in this press release to an academic paper titled, Why Phishing Works.

  • beSpacific postings on ID theft and cybercrime
  • July 18, 2006
    * Hearing on Phishing Remedies

    The Subcommittee on Financial Institutions and Consumer Credit, chaired by Rep. Spencer Bachus (AL), held a hearing today entitled "ICANN and the Whois Database: Providing Access to Protect Consumers from Phishing." Government officials contend that access to Whois data is essential in the effort to combat cybercrimes, while privacy advocates maintain that access to data on domain name holders facilitates phishing, spam and other types of fraud.

  • Prepared Testimony
  • July 13, 2006
    * 2006 CSI/FBI Computer Crime and Security Survey

    Press release: The Computer Security Institute (CSI) with the participation of the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad today released its 2006 report citing that virus attacks are the leading cause of financial losses. The top four categories -- virus attacks, unauthorized access to networks, lost/stolen laptops or mobile hardware and theft of proprietary information or intellectual property -- according to the 2006 Computer Crime and Security Survey, account for more than 74 percent of financial loss."

  • 2006 CSI/FBI Computer Crime and Security Survey (30 pages, PDF)
  • July 12, 2006
    * Forensic Investigation of State Department Computer Breaches Ongoing

    AP: "Computer break-ins at the State Department that caused broad disruptions in recent weeks apparently originated in the East Asia-Pacific region, a department spokesman said Wednesday."

  • Daily Press Briefing, Sean McCormack, State Department Spokesman
    Washington, DC, July 12, 2006
    : "First of all, the systems affected were unclassified computer systems...Our folks monitored this attempt and took immediate steps to prevent any loss of sensitive U.S. Government information. There is an ongoing forensic investigation to examine exactly what happened and to try to learn from that, but the initial findings of the investigation are that there was no compromise of sensitive U.S. Government information."
  • July 11, 2006
    * VA OIG Audit of Veterans Data Breach

    Review of Issues Related to the Loss of VA Information Involving the Identity of Millions of Veterans, Rpt. #06-02238-163, July 11, 2006 (78 pages, PDF)

  • Related postings on the VA data breach
  • July 10, 2006
    * Commentary on Security Breaches Resulting from Offshoring of Customer Data

    Risky Business? How Multinationals' Outsourcing Involving Customer Data Can Lead to Identity Theft and Other Fraud, by Anita Ramasastry.

    July 07, 2006
    * Laptops and Lack of Encryption Are Weak Links in Data Breaches

    In the wake of the steady stream of news (the latest at this time is here) about stolen laptops and data breaches impacting state and federal government agencies and personnel, as well as corporations large and small, this AP article raises an important question: "...Why is so much private data allowed to be on laptops to begin with?"

    July 05, 2006
    * Most Large North American Organizations Subjected to Security Breaches

    Press release: "CA today announced a new security survey of 642 large North American organizations which shows that more than 84% experienced a security incident over the past 12 months and that the number of breaches continues to rise. According to the findings, security breaches have increased 17% since 2003. As a result, 54% of organizations reported lost workforce productivity; 25% reported public embarrassment, loss of trust/confidence and damage to reputation; and 20% reported losses in revenue, customers or other tangible assets. Of the organizations which experienced a security breach, 38% suffered an internal breach of security."

  • See also As data breaches pile up, OMB cracks down - Experts call for CIOs to have more authority
  • July 03, 2006
    * Chronology of Data Breaches Reported Since the ChoicePoint Incident

    From the Privacy Rights Clearinghouse, A Chronology of Data Breaches Reported Since the ChoicePoint Incident, updated June 30, 2006. Breaches reported in June 2006 include the Nebraska Treasurer's Office and the Minnesota Dept. of Revenue.

    June 28, 2006
    * Hearings on Social Networking and Internet Safety For Kids

    Hearings were held June 27 and June 28, 2006 by the Subcommittee on Oversight and Investigations of the Committee on Energy and Commerce, on Making the Internet Safe for Kids: The Role of ISP's and Social Networking Sites.

    Related government news and documents:

  • Press release: "The Federal Trade Commission today called on social networking sites to make sure children visiting their sites can stay safe and their parents can protect them...The testimony describes FTC actions to protect children online through consumer education and law enforcement. Last month, the FTC provided advice for parents and children about safely using social networking sites such as MySpace, Facebook, and others. The tips are featured on one of the most popular sections of OnGuard Online, an online education resource covering safe and secure computing."

  • Social Networking Sites: Safety Tips for Tweens and Teens

  • Social Networking Sites: A Parent's Guide

  • Postings on social networking

  • June 27, 2006
    * CDT Issues Spyware Enforcement Report

    Press release: "CDT's report charts the important cases against spyware distributors and identifies the statutes applied, June 26, 2006."

  • A Report by the Center on Democracy and Technology: Spyware Enforcement (16 pages, PDF)

  • * Security Issues For Portable Devices Increase With Data Theft Reports

    WSJ free feature: Laptop Lockdown - Companies Start Holding Employees Responsible for Security Of Portable Devices They Use for Work

  • Postings on ID theft and cybercime
  • June 26, 2006
    * Data Security Act of 2006

    Press release: "Sen. Bob Bennett (R-Utah) and Sen. Tom Carper (D-DE), members of the Senate Banking Committee, today introduced legislation to help protect individuals and businesses from the rampant crimes of identity theft and account fraud...The new bill requires that all entities – such as financial institutions, universities, retailers and federal agencies –safeguard sensitive information, investigate security breaches and notify consumers when there’s a substantial risk of identity theft or account fraud. That means retailers that take credit card information are now covered; data brokers who compile private information are covered; and government agencies that possess nonpublic personal information are also covered."

  • A copy of the bill summary, Sen. Bennett's opening statement, as well FAQs of the measure
  • June 20, 2006
    * Industry Leaders Call For Federal Privacy Legislation

    The Consumer Privacy Legislative Forum (whose members include Google, Microsoft, Oracle, EBay Inc., Hewlett-Packard Co., Intel Corp., Sun Microsystems Inc. and Symantec Corp.) issued a statement supporting "a serious process to consider comprehensive harmonized federal privacy legislation to create a simplified, uniform but flexible legal framework."

  • Google Official Blog: "On an Internet beset with spyware, malware, phishing, identity-theft, and other privacy threats, enforcement of privacy protections has become an industry-wide challenge, and highlights the lack of a coherent regulatory structure. Google strongly supports the adoption of a federal consumer privacy law. It would be good for our users, and would contribute to consumer trust on the Internet as a platform for communication, expression, e-commerce, and so forth."
  • * According to GAO, VA Still Does Not Have Comprehensive Info Security Program

    Following up on previous postings on the VA data breach, today the GAO issued yet another related report - Information Security: Leadership Needed to Address Weaknesses and Privacy Issues at Veterans Affairs, Full text GAO-06-897T, and Highlights, June 20, 2006.

  • "For many years, significant concerns have been raised about VA's information security--particularly its lack of a robust information security program, which is vital to avoiding the compromise of government information, including sensitive personal information. GAO and the department's inspector general have reported recurring weaknesses throughout VA, including the Veterans Benefits Administration, in such areas as access controls, physical security, and segregation of incompatible duties. The department has taken steps to address these weaknesses, but these have not been sufficient to establish a comprehensive information security program."
  • June 19, 2006
    * Theft of Laptops With Personal Data Increasingly Common

    Yet another report today about the theft of a laptop from the home of a government employee, this time involving info on D.C. government personnel. The issue of why so many institutions have not implemented proper security measures, such as encryption on digital media removed from the office, remains baffling.

    June 16, 2006
    * Law Enforcement Officials Report Rise in Rate and Sophistication of Cybercrime

    News.com: "Cybercrooks are organizing better and moving to more sophisticated tactics to get their hands on confidential data and turn PCs of unwitting users into bots, representatives from the U.S. Department of Justice and the U.S. Air Force Office of Special Investigations said in separate presentations here at the Computer Security Institute's NetSec event this week."

    * Quartet of ID Theft Bills Introduced in Congress This Week

  • S. 3506 - A bill to prohibit the unauthorized removal or use of personal information contained in a database owned, operated, or maintained by the Federal government. Sponsor: Sen Akaka, Daniel K. [HI] (introduced 6/13/2006)

  • S. 3514 - A bill to amend title 18, United States Code, to restrict the public display on the Internet of the last 4 digits of social security account numbers by State and local governments, and for other purposes. Sponsor: Sen Schumer, Charles E. [NY] (introduced 6/14/2006)

  • H.R. 5582 - To require Federal agencies, and persons engaged in interstate commerce, in possession of data containing personal information, to disclose any unauthorized acquisition of such information. Sponsor: Rep Lantos, Tom [CA-12] (introduced 6/12/2006)

  • H.R. 5588 - To require the Secretary of Veterans Affairs to protect sensitive personal information of veterans, to ensure that veterans are appropriately notified of any breach of data security with respect to such information, to provide free credit monitoring and credit reports for veterans and others affected by any such breach of data security, and for other purposes. Sponsor: Rep Salazar, John T. [CO-3] (introduced 6/12/2006)

  • Related postings on ID theft
  • June 15, 2006
    * Continued Warnings About Use of Social Security Numbers and Rise of ID Theft

    Follow-up to recent postings VA ID theft and the continuous reports on government and corporate enterprise data breaches, see this Gartner press release: Gartner Says Rash of Personal Data Thefts Shows Social Security Numbers Can No Longer Be Sole Proof of Identity for Enterprises.

  • According to Gartner VP Avivah Litan, "Companies should not rely on Social Security numbers alone as proof of individual identity...As many as one-in-seven adult Social Security numbers in the U.S. may already have been compromised."


  • Related sources:
  • Alternatives include smart cards

  • Stolen Laptops and Data Theft: Why the Privacy Act Lawsuit against the Veteran's Administration May Succeed, and Why We Need Similar Remedies in the Private Sector, by Anita Ramasastry

  • June 14, 2006
    * VA's Information Security Weaknesses Highlighted in GAO Report and Hearings

    Related to previous postings on the recent breach of Veterans' data that was the focus of press and Congressional scrutiny, from GAO today, this report - Veterans Affairs: Leadership Needed to Address Information Security Weaknesses and Privacy Issues, full-text GAO-06-866T, and Highlights, June 14, 2006. From the report: "For many years, significant concerns have been raised about VA's information security--particularly its lack of a robust information security program, which is vital to avoiding the compromise of government information, including sensitive personal information. Both GAO and the department's inspector general have reported recurring weaknesses in such areas as access controls, physical security, and segregation of incompatible duties."

    Related government documents:

  • Press release: "Vulnerabilities in the Department of Veterans Affairs Information Technology Department (VA IT) were exposed and made worse when cyber security recommendations went unheeded, House Committee on Veterans’ Affairs Chairman Steve Buyer (R-Ind.) assessed during a Full Committee Oversight hearing. Testimony from past VA inspectors general (IG) and the Government Accountability Office (GAO) highlighted the failure or lack of internal controls which ultimately contributed to the recent security breach of personal and sensitive information belonging to approximately 26.5 million veterans as well as active duty and reserve component servicemembers. This is the second in a series of committee hearings that will be held in connection with VA IT security."

  • Hearing on the Repeated Failures of VA's Information Technology Management, June 14, 2006. Link to prepared witness testimony.

  • * Consumer Efforts to Ward Off Span and Spyware Still Fall Short

    WSJ free feature: Seeking a Safer Internet - New Tools Flag Sites With Spyware, Spam - But the Technology Is Far From Perfect

    June 11, 2006
    * NY Governor Signs Legislation to Protect New Yorkers Against ID Theft

    Press release, June 9, 2006: "Governor George E. Pataki today signed three bills [Security Freeze Law, Disposal of Personal Records Law, Anti-Phishing Act of 2006] that will further protect New York's consumers and their privacy. These bills will allow consumers to proactively defend themselves against identity thieves, require businesses to properly discard documents and records containing personal information, and prohibit individuals from deceptively soliciting sensitive information from Internet users. They will also help prohibit the potential repercussions that many identity theft victims encounter, including the denial of loan applications, false arrest, and criminal records."

    June 10, 2006
    * Cyber Security Challenges at the Department of Energy

    Hearing, Cyber Security Challenges at the Department of Energy, June 9, 2006. [note: links to member statements and witness testimony not yet available - after an open session, there was a closed session to discuss security issues related to a previously unreported data breach.]

  • AP: DOE Computers Hacked; Info on 1,500 Taken
  • June 08, 2006
    * Hearings Examine Repeated Data Breaches at Federal Agencies

    Government Reform Committee Oversight Hearing, "Once More Into the Data Breach: The Security of Personal Information at Federal Agencies," June 8, 2006. "The data loss at VA is the largest by a federal agency to date, and the latest in a long string of personal information breaches in the public and private sectors, including financial institutions, data broker companies, and academic institutions."

  • Links (PDF) to: Chairman Davis' opening statement; Testimony of Clay Johnson, III, Deputy Director for Management, Office of Management and Budget; Testimony of the David M. Walker, Comptroller General of the United States; Testimony of R. James Nicholson, Secretary, U.S. Department of Veterans Affairs [see related postings on recent VA data breach]; Testimony of William E. Gray, Deputy Commissioner, Office of Systems, U.S. Social Security Administration; Testimony of Daniel Galik, Chief, Mission Assurance and Security Services, Internal Revenue Service, U.S. Department of the Treasury.

  • * New ID Theft Notification Law Takes Effect in Indiana

    Indiana House House Bill 1101 (HB 1101) which takes effect July 1, will "require disclosure of security breaches and encryption of data by companies holding customers' and clients' personal identification information in computer databases if it could cause identity theft, identity deception, or fraud."

  • Press release from Indiana Attorney General Steve Carter, May 31, 2006: "This law will require disclosure of security breaches and encryption of data by companies holding customers’ and clients’ personal identification information in computer databases if it could cause identity theft, identity deception, or fraud. This would help protect consumers by making them aware when their personal information may have been stolen. People would then be able to take the necessary steps to protect themselves from any further damage."
  • June 07, 2006
    * VA Data Breach Far More Extensive Than Previously Revealed

    Follow-up to postings on breach of veterans data, this press release from Sen. Patrick Leahy comments on the announcement that "the Social Security numbers and other personal information for as many as 2.2 million U.S. military personnel – including nearly 80 percent of our active-duty force -- were among the data the VA has lost."

  • AP: Veterans' groups sue over data theft - Suit seeks $1,000 in damages for each affected person

  • Update on Veterans Affairs Data Security: Currrent Servicemembers Possibly Affected by VA Data Loss

  • Veterans Affairs Sending Notification Letters on Data Security
  • June 05, 2006
    * New Hampshire Enacts ID Theft Law

    Press release, May 31, 2006: "Gov. Lynch today signed Senate Bill 334, which will allows victims of identity theft to ask their credit reporting agency for a "credit freeze." Once they do, their credit reports cannot be forwarded without their consent or involvement, which will help prevent identity thieves from using people's good credit against them. A credit freeze will also prevent criminals from being able to open new lines of credit in their victims' names...The law goes into effect on Jan. 1, 2007."

    June 02, 2006
    * Recent Breach of Veterans' Data Generates More Fraud

    Another follow-up to postings and resources for veterans impacted by recent data breach: "The FTC is advising veterans and their families to keep a close hold on their credit card numbers, bank account information, Social Security numbers, passwords, and other sensitive personal information. One technique scammers use to get this information is phishing: they send an e-mail that appears to be from a well-known company, asking recipients to verify their personal information and luring them to a Web site that looks genuine, but is bogus. Scammers can lie on the telephone, as well, to get personal information." [Link]

  • FTC Consumer Alert - Vets: Delete Unsolicited Offers by Email; Don't Disclose Personal Information to Unsolicited Callers
  • * Consumer Health Coalition Calls for Review of Consumer Data Security After Recent Breach

    Follow-up to postings and resources for veterans impacted by recent data breach, this press release (includes text of letter to HHS): "Thirty organizations participating in the Consumer Coalition for Health Privacy yesterday asked U.S. Department of Health and Human Services Secretary Mike Leavitt to undertake a compliance review of the U.S. Department of Veterans Affairs pursuant to the authority granted him by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Medical diagnostic codes and disability rating information about an undisclosed number of disabled veterans were stolen last month from the home of a VA employee along with 26.5 million veterans' names, birth dates and Social Security numbers."

    June 01, 2006
    * Online Fraud Report 2006

    Press release: "A new cyber security study released today highlights the difference between perception and reality of consumers' awareness of online scams and their actual online behavior. While 87 percent of consumers polled said they were confident they could recognize fraudulent e-mails, 61 percent failed to identify a legitimate e-mail. Most respondents categorized all e-mails in the study as fake, even though one of them was legitimate. The Online Fraud Report has been sponsored by the National Cyber Security Alliance (NCSA), a central clearinghouse for cyber security awareness and education for home users, small businesses and the education community, and Bank of America."

    May 30, 2006
    * New York Times Reports Arizona A Hot Spot for ID Theft

    According to the New York Times, Arizona's rapid population growth combined with a "heavy traffic in methamphetamine" are signficant factors in the state's ranking at the top of the list for ID theft complaints recorded by the FTC.

  • Related news from AP, Beware the Numbers Hype About ID Theft - When It Comes to Identity Theft, Be Careful but Beware the Numbers Hype, November 13, 2005
  • May 29, 2006
    * National Internet Safety Month

    "In recognition of National Internet Safety Month (June 2006), National Criminal Justice Reference Service presents this compilation of Internet safety resources."

    May 26, 2006
    * White House Admonishes Agencies to Safeguard Citizen Data

    Follow-up to the latest extensive incident of ID theft involving government records and citizen personal data, see this OMB Memoranda M-06-15, Safeguarding Personally Identifiable Information, May 22, 2006.

    Related government documents and news:

  • VA outlines data security upgrades

  • Senate Committee on Veterans' Affair hearing, VA Data Privacy Breach: Twenty-Six Million People Deserve Answers, May 25, 2006 [link to witness statements].

  • From 2004 - Chief Privacy Officers for Each Gov't Agency
  • Current: Contact List of Senior Agency Officals for Privacy

  • And news: TechWeb - VA Worker Took Data Home For Years Before Break-in - "...none of his supervisors we talked to said they were aware that the employee had taken the file containing approximately 26.5 million veterans' records to his residence."

  • May 25, 2006
    * Links to Research Papers from WWW2006 Conference

    Refereed technical papers from 11 research areas are available from the WWW2006 Conference, May 23-26, 2006. Topic areas include: business success, next wave, education and science, security and health.

    * NIST's National Vulnerability Database

    NIST's National Vulnerability Database: Search for Vulnerabilities - Enter vendor, software, or keyword.

  • "NVD is a comprehensive cyber security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources. It is based on and synchronized with the CVE vulnerability naming standard."

  • * VA Launches Website and Call Center After Theft of Personal Data

    Follow-up to posting yesterday, Theft of Data on Over 25 Million Veterans Renews Calls for Greater Security, this news from the government today: "Over the weekend following the recent theft of 26.5 million veterans' records, the Department of Veterans Affairs (VA) quickly put in place a call center and website to answer questions about the implications of the theft and the steps veterans can take to protect themselves from misuse of their personal information. The call center, at 1-800-FEDINFO, operates from 8:00 a.m. to 9:00 p.m. (EDT) Monday to Saturday. It can handle up to 260,000 toll-free calls a day. The latest information on VA data security is posted on Firstgov.gov, the U.S. government's official Web portal."

    Related news and government documents:

  • VA needs 26 million envelopes, fast

  • VA data theft may cost $500 million

  • Press release: Sen. Coleman Sends Letter to GAO Requesting Government Sends Letter to GAO Requesting Government-Wide Review of Practices in Light of Stolen Veterans Data.
  • May 24, 2006
    * Theft of Data on Over 25 Million Veterans Renews Calls for Greater Security

    Statement of Secretary of Veterans Affairs R. James Nicholson on the Status of the Veterans Data Theft (5/24/06): "I am outraged at the loss of this veterans' data and the fact an employee would put it at risk by taking it home in violation of our policies. I am also concerned about the timing of the Department's response once the burglary became known. I will not tolerate inaction and poor judgment when it comes to protecting our veterans."

  • Related postings on cybercrime and ID theft

  • New York Times: Department to Investigate Theft of Veterans' Data

  • AP: Experts Offer Advice to Prevent ID Theft
  • May 15, 2006
    * Black Box Voting Report on Diebold Security Issues

    5-11-06: Three-level security flaws found in Diebold touch-screens. Critical Security Alert: Diebold TSx and TS6 voting systems by Harri Hursti, for Black Box Voting, Inc. (12 pages, PDF)

  • "Due to the nature of this report it is distributed in two different versions. Details of the attack are only in the restricted distribution version considered to be confidential. This document describes several security issues with the Diebold electronic voting terminals TSx and TS6. These touch-pad terminals are widely used in US and Canadian elections and are among the most widely used touch pad voting systems in North America. Several vulnerabilities are described in this report. One of them, however, seems to enable a
    malicious person to compromise the equipment even years before actually using the exploit, possibly leaving the voting terminal incurably compromised. These architectural defects are not in the election-processing system itself. However, they compromise the underlying platform and therefore cast a serious question over the integrity of the vote. These exploits can be used to affect the trustworthiness of the system or to selectively disenfranchise groups of voters through denial of service."


  • Related news:
  • Press release, California first in nation to implement electronic voting reform, May 4, 2006: "All 58 California counties are on track to deploy new or upgraded voting equipment that guarantees every ballot cast will be backed up on paper that voters can verify before leaving the polls. Fourteen counties acquired over 40,000 electronic voting machines in recent years, all of which are being replaced or retrofitted with printers in time for the June election, making California the first state in the nation to reform its electronic voting systems after widespread deployment of paperless e-voting machines."

  • * Cybersecurity Enhancement and Consumer Data Protection Act of 2006

    Cybersecurity Enhancement and Consumer Data Protection Act of 2006 (H.R. 5318), To amend title 18, United States Code, to better assure cyber-security, and for other purposes, introduced 5/9/2006, by Rep. James F. Sensenbrenner Jr.

    May 11, 2006
    * A Model Regime of Privacy Protection

    Solove, Daniel J. and Hoofnagle, Chris Jay, A Model Regime of Privacy Protection (Version 3.0). Illinois Law Review, Vol. 2006, p. 357, 2006.

    * FTC Testifies on Social Security Numbers in Commerce

    FTC press release: "The Federal Trade Commission today told the Subcommittee on Commerce, Trade, and Consumer Protection of the House Committee on Energy and Commerce Committee that in the effort to reconcile the beneficial uses of Social Security Numbers with the threats to consumer privacy, "The challenge is to find the proper balance between the need to keep SSNs out of the hands of identity thieves, while giving businesses and government entities sufficient means to attribute information to the correct person."

  • Social Security Numbers in Commerce: Reconciling Beneficial Uses with Threats to Privacy - Hearing by the Subcommittee on Commerce, Trade, and Consumer Protection - Thursday, May 11, 2006. Witness List & Prepared Testimony

  • * Executive Order Creates National Identity Theft Task Force

    Fact Sheet: The President's Identity Theft Task Force: "This task force will marshal the resources of the Federal government to crack down on the criminals who traffic in stolen identities and protect American families from this devastating crime."

  • Executive Order: Strengthening Federal Efforts to Protect Against Identity Theft, May 10, 2006.
  • May 10, 2006
    * Committee Report to Accompany the Data Accountability and Trust Act

    "The Committee on Energy and Commerce, to whom was referred the bill (H.R. 4127) to protect consumers by requiring reasonable security policies and procedures to protect computerized data containing personal information, and to provide for nationwide notice in the event of a security breach, having considered the same, report favorably thereon with an amendment and recommend that the bill as amended do pass." [House Report 109-453 - Part 1 - Data Accountability and Trust Act (DATA), Ordered to be printed May 6, 2006]

    * FTC Settles Complaint With Company Over Lax Security of Consumer Data

    FTC press release: "A title company that promised consumers it maintained "physical, electronic and procedural safeguards" to protect their confidential financial information, but tossed consumer home loan applications in an open dumpster, agreed to settle Federal Trade Commission charges that its inadequate storage and disposal procedures for sensitive consumer information violated federal laws. The settlement with Nations Title Agency, Inc., Nations Holding Company, and Christopher M. Likens bars deceptive claims about privacy and security policies, and requires that they implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years."

  • In the Matter of Nations Title Agency, Inc., Nations Holding Company, and Christopher M. Likens; File No. 052 3117
  • May 09, 2006
    * Wide Range of Privacy and Security Issues Involving RFID Exposed As Use Grows

    The RFID Hacking Underground, by Annalee Newitz: "They can steal your smartcard, lift your passport, jack your car, even clone the chip in your arm. And you won't feel a thing. 5 tales from the RFID-hacking underground."

  • "RFID chips are everywhere - companies and labs use them as access keys, Prius owners use them to start their cars, and retail giants like Wal-Mart have deployed them as inventory tracking devices. Drug manufacturers like Pfizer rely on chips to track pharmaceuticals. The tags are also about to get a lot more personal: Next-gen US passports and credit cards will contain RFIDs, and the medical industry is exploring the use of implantable chips to manage patients. According to the RFID market analysis firm IDTechEx, the push for digital inventory tracking and personal ID systems will expand the current annual market for RFIDs from $2.7 billion to as much as $26 billion by 2016."
  • * Market and Government Share Blame For Proliferation of ID Theft

    Preventing Identity Theft and Data Security Breaches: The Problem With Regulation, by Clyde Wayne Crews and Brooke Oberwetter, Competitive Enterprise Institute, May 9, 2006 (24 pages, PDF)

  • Executive Summary: "Numerous high-profile cyber-attacks have spawned intense calls for government intervention into information security practices. Tired of the many online threats—including identity theft, data security breaches, and destructive viruses—the public and even some industry representatives are increasingly open to using government regulation to deal with electronic security issues."
  • May 08, 2006
    * Strategies to Create and Manage A Corporate Info Security Policy

    Building and Implmenting a Successful Information Security Policy, by John J. Pak, May 8, 2006 (25 pages, PDF).

  • See also Current IT: Issues Survey Report, 2006 - Security and Identity Management edges out Funding IT as the top strategic challenge, while Disaster Recovery/Business Continuity reemerges. by Barbara I. Dewey, Peter B. DeBlois, and the EDUCAUSE Current Issues Committee.

  • April 11, 2006
    * Internet Crime Complaint Center Annual Report

    2005 IC3 Annual Report (27 pages, PDF)

    April 10, 2006
    * Industry Group Urges Congressional Action on Security Breaches

    Cyber Security Industry Alliance Board Urges Congressional Leadership on Consumer Data Protection: Letter to Congressional Leadership

    April 09, 2006
    * Practical Guide to Recognizing and Responding to Phishing Attacks

    CSO Fundamentals: The ABCs of Phishing and Pharming

    April 05, 2006
    * SIIA Anti-Piracy 2005 Year in Review

    "The Software & Information Industry Association's Anti-Piracy Division conducts a comprehensive, industry-wide campaign to fight software and content piracy. The pro-active campaign is premised on the notion that one must balance enforcement with education in order to be effective."

  • SIIA Anti-Piracy 2005 Year in Review (8 pages, PDF)
  • April 04, 2006
    * Data Brokers Supplying Gov't Don't Consistently Protect Privacy of Citizen Info

    Personal Information: Agencies and Resellers Vary in Providing Privacy Protections, Full-text GAO-06-609T, April 4, 2006. Highlights.

  • "In fiscal year 2005, the Departments of Justice, Homeland Security, and State and the Social Security Administration reported that they used personal information obtained from resellers for a variety of purposes, including performing criminal investigations, locating witnesses and fugitives, researching assets held by individuals of interest, and detecting prescription drug fraud. The agencies spent approximately $30 million on contractual arrangements with resellers that enabled the acquisition and use of such information...The major information resellers that do business with the federal agencies GAO reviewed have practices in place to protect privacy, but these measures are not fully consistent with the Fair Information Practices.


  • Personal Information: Agency and Reseller Adherence to Key Privacy Principles, Full-text GAO-06-421, April 4, 2006. Highlights.
  • "...resellers generally limit the extent to which individuals can gain access to personal information held about themselves, as well as the extent to which inaccurate information contained in their databases can be corrected or deleted. Agency practices for handling personal information acquired from information resellers did not always fully reflect the Fair Information Practices. That is, some of these principles were mirrored in agency practices, but for others, agency practices were uneven. For example, although agencies issued public notices on information collections, these did not always notify the public that information resellers were among the sources to be used."
  • April 03, 2006
    * Anti-Spyware Coalition Publishes Guides for Consumers and Enterprise

    Press release: The Anti-Spyware Coalition today released two new resources to help consumers and enterprises better protect themselves against spyware and unwanted adware...The coalition's two new documents walk consumers and network operators through the steps they should be taking to protect their machines against adware, spyware and other malicious software."

  • Protecting Your Network: Mitigating Spyware in Organizations

  • Protecting Your Computer: Detecting and Avoiding Spyware


  • Related research report:
    Why Phishing Works (10 pages, PDF), by Rachna Dhamija of Harvard University and Marti Hearst and J.D. Tygar of the UC Berkeley, to appear in Proceedings of CHI-2006: Conference on Human Factors in Computing Systems, April 2006.

    April 02, 2006
    * DOJ Report: Identity Theft, 2004

    Press release: "An estimated 3.6 million households, or about 3 percent of all households in the nation, learned that they had been the victim of at least one type of identity theft during a six-month period in 2004, the Justice Department’s Bureau of Justice Statistics (BJS) announced today. Forty-eight percent had experienced an unauthorized use of credit cards; 25 percent had other accounts, such as banking accounts, used without permission; 15 percent experienced the misuse of personal information and 12 percent experienced multiple types of theft at the same time. These findings represent six-month estimates based on interviews conducted from July through December 2004 for the BJS National Crime Victimization Survey."

  • Identity Theft, 2004 (NCJ 212213), by BJS statistician Katrina Baum.
  • March 31, 2006
    * FTC in 2006: Committed to Consumers and Competition

    Press release: "Federal Trade Commission Chairman Deborah Platt Majoras today issued the agency's 2006 Annual Report at the American Bar Association’s Section of Antitrust Law Spring Meeting in Washington, DC. The report, entitled "The FTC in 2006: Committed to Consumers and Competition," (62 pages, PDF) is available now on the Commission's Web site and includes sections on the FTC's competition and consumer protection missions and recent accomplishments, as well as a summary of the policy tools it uses to complement its array of law enforcement and international outreach and coordination efforts."

    March 30, 2006
    * GAO Identifies Security Gaps in Use of Social Security Numbers and Recommends Remedies

    Social Security Numbers: More Could be Done to Protect SSNs, Full text GAO-06-586T, and Highlights. March 30, 2006.

  • "There is no one law that comprehensively regulates SSN use and protections...GAO found that there were gaps in the practices for protecting SSNs within government agencies and across industry sectors, such as a lack of uniformity at all levels of government to assure the security of the SSN; gaps in the federal law and oversight in different industries that share SSNs with their contractors; exposure of SSNs in public records and identification cards under the auspices of the government; and few restrictions on certain entities' abilities to obtain and use SSNs in the course of their business."
  • March 29, 2006
    * BBB Offers Toolkit to Help Manage Privacy and Security

    "The Better Business Bureau (BBB) has partnered with nationally-recognized security and privacy experts to create a new toolkit to help small business owners manage security and privacy challenges. We call it Security & Privacy - Made Simpler (TM). The objective is to demystify the complexities of data security and give small businesses a non-technical roadmap to securing their customer data, and their employees' data, too."

  • Download Security & Privacy - Made Simpler
  • March 28, 2006
    * Free Service Alerts Businesses to Phishing Risks

    "PhishRegistry.org is a free service provided by CipherTrust, Inc. to help businesses know when they are at risk of being phished. PhishRegistry.org monitors the content of your website and alerts you when attempts to duplicate it have been detected. Weekly reports are sent to your email address with information about suspect websites."

  • See also the Phishing Incident Reporting and Termination Squad
  • March 26, 2006
    * Privacy Group Updates Chronology of Major Data Breaches

    Privacy Rights Clearinghouse, Updated March 23, 2006: A Chronology of Data Breaches Reported Since the ChoicePoint Incident

    March 23, 2006
    * Advocacy Group Releases Badware Reports

    "Thousands of visitors to StopBadware.org have shared their badware experiences with us since we launched. From their stories, we've identified and tested four applications that contain annoying or objectionable behaviors. To find out what we think of Kazaa, MediaPipe, SpyAxe, and Screensaver.com, read our reports (all in PDF):"

  • Kazaa

  • Mediapipe

  • SpyAxe

  • Waterfalls 3

  • "Before we could aggregate and qualitatively analyze peoples' submissions, we first needed to define the parameters and essential traits of badware. With the advice and input of a panel of internet experts, we isolated six categories of behaviors that many users reported as unwanted in software they download: deceptive installations, unclearly identification, causing harm to other computers, modifying other software, transmitting user data, interfering with computer use, and being difficult to uninstall completely..." The complete guidelines, subject to updating, are here.
  • * GAO Reports on HHS and CMS Info Security Vulnerabilities

    Information Security: Department of Health and Human Services Needs to Fully Implement Its Program, Full Report, GAO-06-267 and Highlights, February 24, 2006.

  • "HHS and CMS have significant weaknesses in controls designed to protect the confidentiality, integrity, and availability of their sensitive information and information systems. HHS computer networks and systems have numerous electronic access control vulnerabilities related to network management, user accounts and passwords, user rights and file permissions, and auditing and monitoring of security-related events. In addition, weaknesses exist in other types of controls designed to physically secure computer resources, conduct suitable background investigations, segregate duties appropriately, and prevent unauthorized changes to application software."
  • March 20, 2006
    * Global Phishing Enforcement Initiative Launched By Microsoft

    Press release: "Neil Holloway, president of Microsoft Europe, Middle East and Africa (EMEA), unveiled a global law enforcement campaign that will target cybercriminals behind phishing attacks. Microsoft Corp. announced that by the end of June 2006 it will have initiated legal actions on more than 100 cases in EMEA against individuals suspected of committing online fraud; 53 of these will have already started by the end of March 2006...The legal actions are linked to a larger Microsoft(R) program, the Global Phishing Enforcement Initiative (GPEI), launched by the company to coordinate and expand its many anti-phishing efforts worldwide to fight phishers through consumer protection, partnerships and prosecution."

    March 17, 2006
    * FTC Testifies on Security Issues in Global Information-based Economy

    Press release, March 16, 2006: The Federal Trade Commission today told the House Committee on Small Business, Subcommittee on Regulatory Reform and Oversight that protecting consumers' privacy rights is a top priority for the agency. Lydia Parnes, Director of the FTC's Bureau of Consumer Protection, told the Committee, "The Commission is committed to aggressive law enforcement, vigorous consumer and business education efforts, and global cooperation to safeguard the security of consumers’ personal information." To date, the agency has brought 12 data security cases, six spyware and adware cases, more than a dozen financial pretexting cases, and more than 80 spam cases.

  • Prepared Statement (17 pages, PDF) of the Federal Trade Commission: On The State of Small Business Security In A Cyber Economy, Presented by Lydia Parnes, Director, Bureau of Consumer Protection, Before the Subcommittee On Regulatory Reform and Oversight of the Committee on Small Business, United States House of Representatives. (March 16, 2006)
  • March 16, 2006
    * Passage of House Bill Undermines State Credit Freeze Laws

    U.S. Newswire: "The House Financial Services Committee voted today to repeal strict state notification and credit freeze laws that have helped to protect consumers from identity theft and financial fraud. These laws provide essential protections that allow consumers to prevent identity thieves from opening credit accounts in their names and require companies to inform consumers when their personal data -- such as their Social Security and credit card numbers -- have become compromised."

  • H.R. 3997 - To amend the Fair Credit Reporting Act to provide for secure financial data, and for other purposes.

  • * Report Outlines Battle Plan to Combat Phishing

    Press release: "Consumer confidence in conducting business and protecting personal data online is threatened every day by phishing scams. In an initiative led by the National Consumers League (NCL), law enforcement, financial services and technical industries have joined forces to combat this threat. The group today issued a "call to action" with the release of a paper outlining key recommendations that form a comprehensive plan for combating phishing more effectively."

  • A Call for Action (66 pages, PDF)
  • * Federal Computer Security Gets Failing Grade

    Government Reform Committee Oversight Hearing: No Computer System Left Behind: A Review of the 2005 Federal Computer Security Scorecards, March 16, 2006.

  • Please note, the links to the House Committee originally cited in this posting are no longer available. For alternative access to the some of the same information, please see the following:
  • Washington Post: DHS Gets Another F in Computer Security - Annual 'Report Card' Contends Many Key Agencies Don't Adequately Protect Networks

  • FEDERAL COMPUTER SECURITY REPORT CARD, March 16, 2006

  • Federal Computer Security Grades, 2001-2005, Wednesday, March 15, 2006



  • [Link to witness statements and related documentation]
  • "Background: Our economy and government have become more and more dependent on information technology and the Internet. Government agencies have improved the efficiency of their operations and services to citizens through electronic government initiatives. Given the interconnectivity of systems, all it takes is one weak link to break the chain. We must guard our information systems from hackers, terrorists, hostile foreign governments, and identity thieves to protect our national security, allow for continuity of government operations, and ensure the privacy of citizens’ personal information. An attack could originate anywhere at anytime. Unfortunately, last year's overall grade for the government was only a D+."

  • Computer Security Report Card 2005 (1 page, PDF)
    "... agency compliance with the Federal Information Security Management Act (FISMA)."
  • Sixth Report Card on Computer Security at Federal Departments and Agencies: Overall Grade D+ (1 page, PDF)
  • Federal Computer Security Grades - 2001-2005 (1 page, PDF)
  • How Grades Were Assigned (3 pages, PDF)

  • March 13, 2006
    * NY Announces Settlement in Largest Privacy Breach to Date

    Press release: "Attorney General Eliot Spitzer today announced a settlement to address what may have been the largest breach of privacy in internet history. The settlement with Datran Media, a leading e-mail marketer, follows an investigation that identified the improper disclosure of the personal information of more than six million American consumers."

  • Assurance of Discontinuance
  • * Taxpayers Alerted to Escalation in Phishing Scams

  • U.S. Treasury Inspector General for Tax Administration: Taxpayers Beware of Widespread Phishing Schemes Involving the IRS

  • IRS: Phishing, Identity Theft and Scams
  • March 08, 2006
    * EU Seminar Report: Trust In the Net

    From Viviane Reding, Member of the European Commission responsible for Information Society and Media, "Safety on the Net" (7 pages, PDF), (09/02/06).

    * Internet Security Threat Report Finds Increase in Crimeware

    Symantec Internet Security Threat Report, Volume IX: March 2006 Highlights.

  • Press release: "This volume of the Internet Security Threat Report offers an overview of threat activity that took place between July 1 and December 31, 2005. In this edition, the new threat landscape is shown to be increasingly dominated by attacks and malicious code that are used to commit cybercrime, criminal acts that incorporate a computer or Internet component. Attackers have moved away from large, multipurpose attacks on network perimeters and toward smaller, more focused attacks on client-side targets."

  • See also Internet "cloaking" emerges as new Web security threat

  • March 06, 2006
    * Minnesota Governor Announces Proposals to Protect Personal Privacy

    Press release: "Citing the need to safeguard the personal information of Minnesotans, Governor Pawlenty today announced a series of proposals that will protect personal privacy and improve the way state government handles personal data...In 2005, more than 3,000 Minnesotans became the victims of identity theft according to the Federal Trade Commission.

    February 27, 2006
    * Identity Theft: Protecting Your Good Name

    NPR: Identity Theft - Protecting Your Good Name, February 27, 2006. (17 pages, PDF)

    * Phishing, Pharming, Key Logging, DDOS Attacks Require Net Users to Remain Vigilant

    New York Times: Cyberthieves Silently Copy Your Passwords as You Type

  • USA Today, Increasing Web attacks disrupt commerce

  • Related postings on cybercrime
  • February 23, 2006
    * FTC Announces Settlement in Security Breach Violation Case

    FTC press release: "In the largest known compromise of financial data to date, CardSystems Solutions, Inc. and its successor, Solidus Networks, Inc., doing business as Pay By Touch Solutions, have agreed to settle Federal Trade Commission charges that CardSystems' failure to take appropriate security measures to protect the sensitive information of tens of millions of consumers was an unfair practice that violated federal law. According to the FTC, the security breach resulted in millions of dollars in fraudulent purchases. The settlement will require CardSystems and Pay By Touch to implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years."

    Related documents:

  • Keynote Address to State of California Identity Theft Summit Teaming Up Against Identity Theft, Chairman Deborah Platt Majoras, Los Angeles, CA, February 23, 2006 (14 pages, PDF)

  • In the Matter of CardSystems Solutions, Inc., and Solidus Networks, Inc., Doing Business as Pay By Touch Solutions, File No. 052 3148

  • February 21, 2006
    * Security Issues Escalate With Popularity of Handheld Devices

    New York Times: Too Many New Gadgets, Too Much Information at Risk: Loss, theft and viruses are major issues as corporate use of handheld devices and pocket PCs increases. Pre-emptive security options are available however, as this article describes.

    February 19, 2006
    * Managing Cybersecurity Resources

    Managing Cybersecurity Resources: A Cost-Benefit Analysis "details guidelines for using sound and measurable principles of cost-benefit analysis, as a compliment to gut instinct, to efficiently allocate and manage cybersecurity resources within your organization. Written by two globally acknowledged leaders in the increasingly critical area of cybersecurity (Lawrence A. Gordon and Martin P. Loeb), this comprehensive exploration presents:

  • Key issues that impact the management of cybersecurity resources
    An economic framework for achieving sufficient cybersecurity protection

  • The role risk plays in allocating cybersecurity resources

  • A generic approach for making the business case for securing funding deemed necessary

  • The growing role of cybersecurity in protecting national security."
  • February 16, 2006
    * Report Reviews Responding to Academic Network Security Threats

    Responding to Security Incidents on a Large Academic Network: by Jamie Riden 02/14/06 (9 pages, PDF). "This paper describes a series of security incidents on a large academic network, and the gradual evolution of measures to deal with emerging threats."

    February 15, 2006
    * Cmte. Sends Letters Seeking Info on Data Brokers' Business Activities

    Follow-up to House Cmte. Seeks Operations Docs. from Websites Selling Cell Phone Records, "House Energy and Commerce Committee investigators have identified people behind 22 Web pages that may offer criminals, stalkers and any other paying customer the detailed records of a person's private telephone calls."

  • Press release today: "Energy and Commerce Committee Chairman Joe Barton, R-Texas; the committee's ranking member, U.S. Rep. John Dingell, D-Mich.; Oversight and Investigations Subcommittee Chairman Ed Whitfield, R-Ky.; and the subcommittee's ranking member, U.S. Rep. Bart Stupak, D-Mich., today sent letters demanding that the companies provide information about the cottage industry."
  • February 11, 2006
    * DHS To Conduct National Computer Security Survey

    "The goal of National Computer Security Survey (NCSS) is to produce reliable national and industry-level estimates of the prevalence of computer security incidents (such as denial of service attacks, fraud, or theft of information) against businesses and the resulting losses incurred by businesses. The first national survey of thousands of businesses is being conducted in 2006. Sponsors: U.S. Department of Justice, Bureau of Justice Statistics and the U.S. Department of Homeland Security, National Cyber Security Division (NCSD)."

    Related government documents:

  • Press release: "U.S. Department of Homeland Security (DHS) announced the completion of Cyber Storm, the first full-scale government-led cyber security exercise to examine response, coordination, and recovery mechanisms to a simulated cyber-event within international, federal, state, and local governments, in conjunction with the private sector. In total, 115 public, private, and international agencies, organizations, and companies were involved in the planning and implementation of Cyber Storm."

  • National Institute of Standards and Technology (NIST), Guide for Developing Security Plans for Federal Information Systems, February 2006 (41 pages, PDF)

  • February 09, 2006
    * CRS Report on State and Federal Data Security Laws

    Data Security: Federal and State Laws, February 03, 2006

  • "This report provides a brief discussion of federal and state data security laws. The security of personal information and risks to data are paramount concerns addressed in federal and state law, legislation, and regulations."
  • February 02, 2006
    * Report On Impact of ID Theft in UK

    UK Home Office: Updated Estimate of the of the Cost of Identity Fraud to the UK Economy, 2 February 2006 (4 pages, PDF).

  • Update: Government 'overstated' ID fraud figures
  • January 30, 2006
    * StopBadware.org Launched By Consortium

    The new StopBadware.org website, sponsored by the Berkman Center, the Oxford Internet Institute, with assistance from Consumer Reports WebWatch, ..."will seek to provide reliable, objective information about downloadable applications in order to help consumers to make better choices about what they download on to their computers. We aim to become a central clearinghouse for research on badware and the bad actors who spread it, and to become a focal point for developing collaborative, community-minded approaches to stopping badware."

    * FTC Releases Top 10 Consumer Fraud Complaint Categories

    Identity Theft Again Leads the List: "The Federal Trade Commission...released its annual report (77 pages, PDF) detailing consumer complaints about fraud and identity theft in 2005. Complaints about identity theft topped the list, accounting for 255,000 of more than 686,000 complaints filed with the agency in 2005. The complaints, filed online or at a toll-free number, are shared via a secure database with more than 1,400 federal, state, and local law enforcement agencies, and law enforcement and consumer protection agencies in Canada and Australia."

    January 26, 2006
    * ChoicePoint Settles With FTC Over Data Security Breach

    FTC press release: "Consumer data broker ChoicePoint, Inc., which last year acknowledged that the personal financial records of more than 163,000 consumers in its database had been compromised, will pay $10 million in civil penalties and $5 million in consumer redress to settle Federal Trade Commission charges that its security and record-handling procedures violated consumers' privacy rights and federal laws. The settlement requires ChoicePoint to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to est