Annual Threat Assessment of the US Intelligence Community for the Senate Select Committee on Intelligence, Dennis C. Blair, Director of National Intelligence, February 2, 2010
The quarterly APWG (AntiPhishing Working Group) Phishing Activity Trends Report analyzes phishing attacks reported to the APWG by its member companies, its Global Research Partners, through the organization’s website and by email submissions. APWG also measures the evolution, proliferation and propagation of crimeware drawing from the research of our member companies. In the last half of this report you will find tabulations of crimeware statistics and related analyses."
OPNAV NOTICE 5400, January 11, 2010: "Action will establish U. S. Fleet Cyber Command as an echelon II command to serve as the Navy Component Commander to United States Cyber Command upon its establishment. Interim reporting will be to United States Strategic Command. Command will provide for operational employment of the Navy's cyber, network operations, information operations, cryptologic and space forces, and serve as the Navy's Service Cryptologic Component Commander to the National Security Agency. U.S. Tenth Fleet. will be re-commissioned to control operations supporting U. S. Fleet Cyber Command.
DRAFT Security Requirements for Cryptographic Modules (Revised Draft): "The Revised Draft FIPS 140-3 is the second public draft of NIST’s proposed revision of FIPS 140-2. The Revised Draft was developed using the comments received on the first public draft, which was posted for public review and comment on July 13, 2007, and the FIPS 140-3 Software Security Workshop held on March 18, 2008. While the 2007 Draft proposed 5 levels of security, the Revised Draft FIPS 140-3 reverts to 4 levels of security as currently specified in FIPS 140-2. In contrast to the 2007 Draft, the Revised Draft also reintroduces the notion of firmware cryptographic module and defines the security requirements for it, limits the overall security level for software cryptographic modules to Security Level 2, and removes the formal model requirement at Security Level 4. Differences with the current FIPS 140-2 standard include limiting the overall security level for software cryptographic modules to Security Level 2, requirements for mitigation of non-invasive attacks at higher security levels, elimination of the requirement for formal modeling at Security Level 4, modified conditions for pre-operational/power-on self-tests, and strengthened integrity testing."
News release: "A new booklet released today by the Federal Trade Commission and other government agencies helps parents and teachers steer kids safely through the online and mobile phone worlds. Net Cetera: Chatting with Kids About Being Online was unveiled...by FTC Chairman Jon Leibowitz, U.S. Secretary of Education Arne Duncan, and Federal Communications Commission Chairman Julius Genachowski."
OIG-09-101 - Vulnerabilities Highlight the Need for More Effective Web Security Management (Redacted), September 2009 (PDF, 21 pages)
National Law Journal: "The economy has employers extra jittery about company secrets getting out, so nervous that they're hiring staff just to monitor outbound e-mails. That's the conclusion of a recent study by Proofpoint, an Internet security and data loss prevention company, which found that 38 percent of large U.S. employers are monitoring outbound e-mail to prevent data leaks, up from 29 percent in 2008."
National Cybersecurity Awareness Month: "October marks the sixth annual National Cybersecurity Awareness Month sponsored by the Department of Homeland Security. The theme for National Cybersecurity Awareness Month 2009 is “Our Shared Responsibility” to reinforce the message that all computer users, not just industry and government, have a responsibility to practice good “cyber hygiene” and to protect themselves and their families at home, at work and at school. Americans can follow a few simple steps to keep themselves safe online. By doing so, you will not only keep your personal assets and information secure but you will also help to improve the overall security of cyberspace."
Sanitization and Disposal of Excess Information Technology Equipment (Report No. D-2009-104)
News release: "The Department of Homeland Security (DHS) and the Information Technology Sector Coordinating Council (IT SCC) today released the IT Sector Baseline Risk Assessment (ITSRA) to identify and prioritize national-level risks to critical sector-wide IT functions while outlining strategies to mitigate those risks and enhance national and economic security...The ITSRA validates the resiliency of key elements of IT sector infrastructure while providing a process by which public and private sector owners and operators can continually update their risk management programs. The assessment links security measures to concrete data to provide a basis for meaningful infrastructure protection metrics."
Follow up to previous postings on recovering data from discarded or resold computers and their hard drives, additional data and PC security ideas via PC Pro’s top 10 hard disk destruction methods.
PBS.org FRONTLINE - Ghana, Digital Dumping Ground: "When containers of old computers first began arriving in West Africa a few years ago, Ghanaians welcomed what they thought were donations to help bridge the digital divide. But soon exporters learned to exploit the loopholes by labeling junk computers "donations"...[What is on the hard drives from this junk PCs'?] There is private financial data...credit card numbers, account information, records of online transactions the original owners may not have realized were even there. Ghana is listed by the U.S. State Department as one of the top sources of cyber crime in the world. And it's not just individuals who are exposed. One of the drives the team has purchased contains a $22 million government contract. It turns out the drive came from Northrop Grumman, one of America's largest military contractors. And it contains details about sensitive, multi-million dollar U.S. government contracts. They also find contracts with the defense intelligence agency, NASA, even Homeland Security."
2009 Trust, Security & Passwords Survey Research Brief: "This global "snooping" survey is the third in a series of benchmark studies focused on identifying security and privacy trends among IT workers. Results are intended to raise awareness about the risks associated with powerful, and often unmanaged, privileged users and passwords. While seemingly innocuous, these accounts provide workers with "keys to the kingdom," allowing them to access critically sensitive information, no matter where it resides."
Berkman Center for Internet & Society at Harvard University report: Enhancing Child Safety & Online Technologies: Final Report of the Internet Safety Technical Taskforce to the Multi-State Working Group on Social Networking of State Attorneys General of the United States in December of 2008.
News release: "A rogue Internet Service Provider that recruits, knowingly hosts, and actively participates in the distribution of spam, child pornography, and other harmful electronic content has been shut down by a district court judge at the request of the Federal Trade Commission. The ISP’s upstream providers and data centers have disconnected its servers from the Internet."
White House: Securing Our Digital Future, Melissa Hathaway, Cybersecurity Chief at the National Security Council, discusses securing our nation's digital future.
News release: "The Federal Trade Commission today testified on the Commission’s efforts to promote better security for sensitive consumer information and to prevent the inadvertent sharing of consumers’ personal or sensitive data over Peer-to-Peer Internet file-sharing networks. As part of these efforts, the agency also announced that it had reached an agreement with one of the largest privately held lenders in the United States to resolve charges that the company violated federal law by failing to provide reasonable security for consumers’ sensitive information. In testimony before the House Energy and Commerce Committee Subcommittee on Commerce, Trade and Consumer Protection, Acting Director of the Bureau of Consumer Protection Eileen Harrington said the agency strongly supports the goals of H.R. 2221, the Data Accountability and Trust Act, which would require companies to put reasonable data security policies and procedures in place, and to notify consumers when there has been a data security breach that affects them. The legislation also would give the Commission the authority to obtain civil penalties for violations."
"Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials...But protecting the electrical grid and other infrastructure is a key part of the Obama administration's cybersecurity review, which is to be completed next week. Under the Bush administration, Congress approved $17 billion in secret funds to protect government networks, according to people familiar with the budget. The Obama administration is weighing whether to expand the program to address vulnerabilities in private computer networks, which would cost billions of dollars more. A senior Pentagon official said Tuesday the Pentagon has spent $100 million in the past six months repairing cyber damage."
Follow up to April 5, 2009 posting Senate Staff Working Draft of Cybersecurity Act of 2009, see this related CRS report: Comprehensive National Cybersecurity Initiative (CNCI): Legal Authorities and Policy Considerations, March 10, 2009
Treasury Inspector General for Tax Administration, Progress Has Been Slow in Implementing Federal Security Configurations on Employee Computers, March 27, 2009, Reference Number: 2009-20-055
WSJ: "The government's coordinator for cybersecurity programs has quit, criticizing what he described as the National Security Agency's grip on cybersecurity. Rod Beckstrom, a former Silicon Valley entrepreneur, said in his resignation letter that the NSA's central role in cybersecurity is "a bad strategy" because it is important to have a civilian agency taking a key role in the issue. The NSA is part of the Department of Defense."
The Electronic Frontier Foundation (EFF) launched its Surveillance Self-Defense project today -- an online how-to guide for protecting your private data against government spying. EFF created the Surveillance Self-Defense site to educate Americans about the law and technology of communications surveillance and computer searches and seizures, and to provide the information and tools necessary to keep their private data out of the government's hands. The guide includes tips on assessing the security risks to your personal computer files and communications, strategies for interacting with law enforcement, and articles on specific defensive technologies such as encryption that can help protect the privacy of your data."
Data Loss Risks During Downsizing As Employees Exit, so does Corporate Data, February 23, 2009
News release: "President Obama has directed the National Security and Homeland Security Advisors to conduct an immediate review of the plan, programs, and activities underway throughout the government dedicated to cyber security. This 60-day interagency review will develop a strategic framework to ensure that U.S. Government cyber security initiatives are appropriately integrated, resourced and coordinated with Congress and the private sector. "The national security and economic health of the United States depend on the security, stability, and integrity of our Nation’s cyberspace, both in the public and private sectors. The President is confident that we can protect our nation’s critical cyber infrastructure while at the same time adhering to the rule of law and safeguarding privacy rights and civil liberties," said Assistant to the President for Counterterrorism and Homeland Security John Brennan. Melissa Hathaway, who has served as Cyber coordination Executive to the Director of National Intelligence, will lead the review and will serve as Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils during the review period."
News release: "...experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime. Shockingly, most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale. The impact of these errors is far reaching. Just two of them led to more than 1.5 million web site security breaches during 2008 - and those breaches cascaded onto the computers of people who visited those web sites, turning their computers into zombies."
The Top 25 Errors are listed below in three categories:
CDT news release: "The Supreme Court Wednesday dealt the final blow to the government's 10-year campaign to place onerous restrictions on Internet content. The Court declined to hear the government's appeal of lower court rulings [3rd U.S. Circuit Court of Appeals Decision in COPA February 22, 2008] that declared the Child Online Protection Act as unconstitutional. COPA passed in 1998 but was never enforced due to immediate court challenges on First Amendment grounds. Since COPA was passed there have been at least three major commissions or studies that have concluded that education and voluntary technology tools are the most effective way to protect kids online. These approaches are the ones Congress and the President should pursue to enhance Internet safety."
News release: "The Federal Financial Institutions Examination Council (FFIEC) issued guidance today for examiners, financial institutions, and technology service providers to identify risks, evaluate controls, and assess risk management practices related to remote deposit capture (RDC) systems. RDC enables customers to make deposits from their homes or businesses instead of taking the deposits to their financial institutions. Digital information captured at the home or business is transmitted to the financial institution or its service provider for clearing and settlement. Financial institutions might also use RDC in their branches and automated teller machines (ATMs) to facilitate deposit processing. When properly managed, RDC can reduce processing costs, support new and existing products by financial institutions, and accelerate the availability of customers’ funds. However, RDC also introduces new risks and increases existing risks in processing deposits originated by an institution’s commercial or retail customers, or by customers of other financial institutions domestically and abroad."
"The Global state of information security survey 2008 is a worldwide security survey by PricewaterhouseCoopers, CIO Magazine and CSO Magazine. It was conducted online from March 25 to June 26, 2008. Readers of CIO and CSO Magazines and clients of PricewaterhouseCoopers from around the globe were invited via email to take the survey. The results discussed in this report are based on the responses of more than 7,000 CEOs, CFOs, CIOs, CSOs, vice presidents and directors of IT and information security from 119 countries. Thirty-nine percent (39%) of respondents were from North America, twenty-seven percent (27%) from Europe, seventeen percent (17%) from Asia, fifteen percent (15%) from South America, and two percent (2%) from the Middle East and South Africa."
SecurityFocus: "Google posted...a handbook for Web developers that highlights the key security features and quirks of major Web browsers. The document, dubbed the Browser Security Handbook, has three parts that tackle the security features in browsers and browser-specific issues that could lead to security weaknesses."
Follow up to previous postings on recovering data from discarded or resold computers and their hard drives, from the FTC: "Computers are a popular gift during the holiday season. People with a new computer often wonder about the best way to get rid of the old one. OnGuardOnline.gov, the computer safety Web site managed by the Federal Trade Commission, has some tips to make this task easier – and more secure. Passwords, health information, and other sensitive personal data should be saved elsewhere and erased off the old computer. This protects consumers’ privacy and safeguards them from identity theft. People who use their computers for work should check with their employers regarding the legal requirements businesses must comply with to secure and dispose of data. To learn more, including how to save and erase data, see Computer Disposal."
Treasury Inspector General for Tax Administration: Unauthorized and Insecure Internal Web Servers Are Connected to the Internal Revenue Service Network, August 26, 2008. Reference Number: 2008-20-159
Transmittal Letter: "The insider threat to critical infrastructures constitutes a real and significant threat because of the potential a trusted insider has to inflict serious damage, including cascading and cross-sector effects and economic interruptions from critical infrastructure service losses. While many critical infrastructure operators have programs or measures in place addressing this threat to some degree, others do not fully understand or appreciate the threat posed by insiders, both to their company and also to our Nation. The Report provides recommendations for government policy to help improve the security posture of U.S. critical infrastructures against this threat. The recommendations include low-cost, easily implemented policy solutions for near term effect. The NIAC recommends that policy makers move swiftly to implement the near term improvements and increase the security of our critical infrastructures."
D-2008-114 Accountability for Defense Security Service Assets With Personally Identifiable Information, July 24, 2008 (Project No. D2007-D000LC-00042.000)
"Research released...by instant messaging experts, ProcessOne, revealed that 72% of UK businesses have banned the use of public instant messaging (IM) software, such as MSN, AIM and Yahoo!, because of security fears. These fears include the ability for employees to download the software without the IT department’s knowledge and potentially use it to send confidential information outside the business. This is despite the fact that 74% of those surveyed say that they think IM could provide valuable collaboration benefits to their organisation; indicating that at the moment, security fears are overriding the opportunity that UK businesses have to increase collaboration and business productivity."
News release: "Today, the Office of Management and Budget (OMB) released the Trusted Internet Connections (TIC) Initiative Statement of Capability Evaluation Report highlighting the Federal government’s rapid progress toward strengthening IT security. This was achieved by reducing external connections, including Internet points of presence from over 4,300 reported in January 2008, to a target of less than one hundred."
Draft SP 800-124, Guidelines on Cell Phone and PDA Security, July 2008.
"Cell phones and personal digital assistants (PDAs) have become indispensable tools for today's highly mobile workforce. Small and relatively inexpensive, these devices can be used for many functions, including sending and receiving email, storing documents, delivering presentations, and remotely accessing data. While these devices provide productivity benefits, they also pose new risks to an organization’s security.
This document provides an overview of cell phone and PDA devices in use today and offers insights into making informed information technology security decisions on their treatment. The document gives details about the threats and technology risks associated with these devices and the available safeguards to mitigate them. Organizations can use this information to enhance security and reduce incidents involving handheld devices."
Draft Guide to Bluetooth Security, July 9, 2008, SP 800-121.
Airport Insecurity: The Case of Lost Laptops - Key Findings Prepared by Larry Ponemon, sponsored by Dell, June 30, 2008
Proofpoint’s Outbound Email and Data Loss Prevention in Today’s Enterprise, 2008 report - ["the survey was fielded in the US, UK, France, Germany and Australia to explore global concerns.]
"Email remains the most important medium for communications both inside and outside the enterprise. But the convenience and ubiquity of email as a business communications tool has exposed enterprises to a wide variety of legal, financial and regulatory risks associated with outbound email. Enterprises continue to express a high level of concern about creating, managing and enforcing outbound messaging policies (for email and other communication protocols) that ensure that messages leaving the organization comply with both internal rules, best practices for data protection and external regulations. In addition, organizations remain very concerned about ensuring that email (and other electronic message streams) cannot be used to disseminate confidential or proprietary information...The results show that data protection concerns are not confined to the US and that globally, email, webmail, FTP, blogs message boards, media sharing sites and social networking sites are a source of concern as well as real-world risk for IT professionals working in large enterprises."
Audit Initiated of the Web Applications Security in Air Traffic Control Systems, June 02, 2008. Project ID: 07F3018F000
"Summary: The Office of Inspector General is initiating an audit of web applications security in air traffic control (ATC) systems in response to a request made by the U.S. House of Representatives Committee on Transportation and Infrastructure. The objectives of this audit are to determine whether: (1) web applications used in supporting ATC operations are properly secured to prevent unauthorized access to ATC systems, and (2) FAA’s network intrusion–detection capability is effective in monitoring ATC cyber security incidents.
Secure web browsing with the OP web browser, Chris Grier, Shuo Tang, and Samuel T. King, Department of Computer Science, University of Illinois at Urbana-Champaign
Yahoo Search Blog: "Today, we're announcing the beta release of SearchScan, a new feature from Yahoo! Search that helps protect users from viruses, spyware and spam. We've heard from users that security and privacy continue to be major concerns when they are online. We've also learned that solutions that require downloads and constant updating are less than ideal. To tackle the problem, we partnered with McAfee to build a feature that provides a safer and hassle-free search experience to all users...How does it work? SearchScan leverages McAfee's SiteAdvisor technology to alert users if risky websites appear in Yahoo! Search results. Starting today, SearchScan will be turned on by default for all users in the U.S., Canada, UK, France, Italy, Germany, Australia, New Zealand, and Spain..."
Jeff Stein, CQ National Security Editor - excerpt: "Hundreds of employee laptops are unaccounted for at the U.S. Department of State, which conducts delicate, often secret, diplomatic relations with foreign countries, an internal audit has found.
As many as 400 of the unaccounted for laptops belong to the department’s Anti-Terrorism Assistance Program, according to officials familiar with the findings.
The program provides counterterrorism training and equipment, including laptops, to foreign police, intelligence and security forces.
Ironically, the Anti-Terrorism Assistance Program is administered by the State Department’s Bureau of Diplomatic Security (DS), which is responsible for the security of the department’s computer networks and sensitive equipment, including laptops, among other duties. It also protects foreign diplomats during visits here.
Freedom of the Cyber Seas - "How lessons from the U.S. government's response to pirates in the early 1800s can help the next president of the United States improve information security," Aaron Turner & Michael Assante, April 10, 2008.
"With stories surfacing on news channels regularly about lost or stolen data or the ability to recover data from discarded or resold computers and their hard drives, Computerworld decided to look at some cheap methods of removing that sensitive data from your hard drive permanently. And, what better place to look than YouTube?"
Inadequate Security Controls Over Routers and Switches Jeopardize Sensitive Taxpayer Information, March 26, 2008. Reference Number: 2008-20-071
DOE OIG Inspection Report: Office of Intelligence and Counterintelligence Internal Controls Over the Department of Energy's Sensitive Compartmented Information Access Program, March 2008 - "We concluded that Office of Intelligence and Counterintelligence did not have adequate internal controls over its Sensitive Compartmented Information (SCI) access program."
Lest We Remember: Cold Boot Attacks on Encryption Keys, J. Alex Haldermany, Seth D. Schoenz, Nadia Heningery, William Clarksony, William Paulx, Joseph A. Calandrinoy, Ariel J. Feldmany, Jacob Appelbaum, and Edward W. Felteny. Princeton University, Electronic Frontier Foundation, Wind River Systems. February 21, 2008.
CODENOMICON White Paper - Wireless Security: Past, Present and Future, by Sami Petäjäsoja, Tommi Mäkilä, Mikko Varpiola, Miikka Saukko and Ari Takanen, Version 1.0, February 1st, 2008
Educational Security Incidents (ESI) Year in Review - 2007: "By Adam Dodge - Posted on February 10, 2008: "The ESI Year in Review - 2007 examines all of the information security incidents occurring at colleges and universities around the world as reported in the news during 2007. 2007 marked a significant change for information security incidents reported in the news. Among the changes are an increase in both the number of incidents reported and the number of institutions reporting a breach as well as the addition to new categories such as incident type "Employee Fraud" and information type "Username and Password".
Press release: "In connection with the 5th Safer Internet Day1 on 12 February 2008, Eurostat, the Statistical Office of the European Communities, presents a selection of statistics concerning internet activities, security concerns and virus attacks. The Safer Internet Day is part of a global drive to promote a safer Internet for all users, in particular younger people, and is organised by Insafe, a European internet safety network co-funded by the European Commission...In the EU27 in 2007, nearly a quarter of internet users had had a computer virus in the preceding 12 months, which resulted in a loss of information or time. Virus attacks were most frequent in Lithuania (41% of users), Slovenia (35%) and Malta (34%) and least common in the Czech Republic (7%), Estonia (15%) and Sweden (16%)."
Department of Commerce OIG - Census Has Improved Accountability for Laptops and Other Personal Property, But Additional Improvements Are Needed -- Audit: Census-18387-1 [PDF] Report
"Cisco® today announced key findings from its annual global study on remote workers' security awareness and online behavior, indicating how they can inadvertently heighten risks for themselves and the companies they work for. The study's findings are prompting Cisco security executives to offer recommendations to information technology (IT) professionals on how to protect their companies against threats and maximize the business benefits of distributed and mobile workforces."
"Criminals are hard at work thinking up creative ways to get malware on your computer, warns the Federal Trade Commission. With appealing Web sites, desirable downloads, and compelling stories, these criminals try to lure consumers to links that will download malware, especially on computers that don’t use adequate security software. Then, they use the malware – malicious software – to steal personal information, send spam, and commit fraud. A new publication from the FTC has information that could help consumers protect their computers against malware and reclaim their computer and electronic information if malware is already on their computer. The publication, Minimizing the Effects of Malware, provides tips on spotting malware, and urges consumers to act immediately if they suspect their computer is affected by malware."
Press release: "Congresswoman Betty McCollum (MN-04), has sent a letter to the Government Accountability Office asking that it reopen its investigation of the privacy and national security risks posed by government agencies reselling used magnetic data tapes that may once have contained large amounts of sensitive personal and government information. Researchers working for Imation, an Oakdale, MN-based corporation that produces magnetic data tapes, were able to recover a wide range of sensitive information from used data tapes that were supposedly wiped clean before being re-sold. Using readily available equipment and information, Imation investigators found out where the tapes originated and recovered bank account numbers, expense reports, employee tax and benefit information, and other sensitive data."
Department of Commerce Breach Notification Response Plan, September 28, 2007 (21 pages, PDF)
SP 800-53 A - DRAFT Guide for Assessing the Security Controls in Federal Information Systems: "NIST announces the release of Draft Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems. This final public draft provides comprehensive assessment procedures for all security controls in NIST Special Publication 800-53 (as amended) and important guidance for federal agencies in building effective security assessment plans. Comments will be accepted until January 31, 2008...Final publication of NIST Special Publication 800-53A is expected in March 2008."
Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress, Updated November 15, 2007. "Cybercrime is becoming more organized and established as a transnational business. High technology online skills are now available for rent to a variety of customers, possibly including nation states, or individuals and groups that could
secretly represent terrorist groups. The increased use of automated attack tools by cybercriminals has overwhelmed some current methodologies used for tracking Internet cyberattacks, and vulnerabilities of the U.S. critical infrastructure, which are acknowledged openly in publications, could possibly attract cyberattacks to extort money, or damage the U.S. economy to affect national security...This report discusses options now open to nation states, extremists, or terrorist groups for obtaining malicious technical services from cybercriminals to meet political or military objectives, and describes the possible effects of a coordinated cyberattack against the U.S. critical infrastructure."
"...the Identity Theft Resource Center (ITRC) has been tracking security breaches for the past three years, looking for patterns, new trends and any information that may help us better protect data and assist companies in their activities...In 2006, there were in excess of 315 publicized breaches affecting nearly 20 million individuals. Based on ITRC’s categorization, the breaches break down as follows: 29% government/military agencies; 28% from educational institutions; 22% from general businesses; 13% from health care facilities / companies; and 8% from banking / credit / financial services entities. In 2005, there were 158 incidents affecting more than 64.8 million people."
101 Best Web Freebies - BusinessWeek.com scoured the Internet for the most useful free products and services available online that you probably don't know about, by Douglas MacMillan. This 45 screen slideshow includes graphics and links to recommended products by category - tech tools, personal finance, career, entertainment, print media, research, health, online learning, PC security.
Press release, November 15, 2007: "IT security and control firm Sophos has revealed new research into the use of other people's Wi-Fi networks to piggyback onto the internet without payment. The research, carried out by Sophos on behalf of The Times, shows that 54 percent of computer users have admitted breaking the law, by using someone else's wireless internet access without permission. According to Sophos, many internet-enabled homes fail to properly secure their wireless connection with passwords and encryption, allowing freeloading passers-by and neighbours to steal internet access rather than paying an Internet Service Provide (ISP) for their own. In addition, while businesses often have security measures in place to protect the Wi-Fi networks within their offices from attack, Sophos experts note that remote users working from home could prove to be a weak link in corporate defenses."
Optimizing Investments in Security Countermeasures: A Practical Tool for Fixed Budgets, by Jonathan Caulkins and Nancy R. Mead, September/October 2007 edition of IEEE Security and Privacy Magazine. "In the article, the team presents a tool and methodology they developed for software engineers and their clients to help them make security decisions when resources are limited."
CDT: "As it seeks models to address the mounting issues surrounding online behavioral targeting, the Federal Trade Commission (FTC) should begin by applying the principles it developed to guide its anti-spyware enforcement efforts, CDT said today. In comments submitted to the FTC in advance of its upcoming "town hall" meeting on behavioral advertising, CDT pointed out that the FTC's principles -- which center around the core concept that consumers should have ultimate control over their computers -- are directly applicable to behavioral advertising. In addition to filing its own comments, CDT also joined with other public interest advocates in offering a list of important questions the FTC must address over the course of the two-day meeting."
National Institute of Standards and Technology, Computer Security Division: "SP 800-44 version 2, Guidelines on Securing Public Web Servers, is published as final. It is intended to aid organizations in the installation, configuration, and maintenance of secure public Web servers. It presents recommendations for securing Web server operating systems, applications, and content; protecting Web servers through the supporting network infrastructure; and administering Web servers securely. SP 800-44 version 2 also provides guidance on using authentication and encryption technologies to protect information on Web servers."
"Two of the key findings from this year’s Global Security Survey revolve around an organization’s people and a paradox that has been around for years. The weakest link in an organization’s security is its people. An organization’s people include employees, customers, third parties and business partners. And of those people, the highest number of breaches are perpetrated via the customer. Even though information security incidents are grabbing the attention of business executives and boards, these individuals do not yet feel that they “own” the problem. In their estimation, the execution of solutions is the mandate of IT. This information security paradox has been alive and well for years; the 2007 security survey confirms just how widespread it is."
Press release: "The FTC today told the Senate Committee on Commerce, Science & Transportation Subcommittee on Interstate Commerce, Trade and Tourism that it has a robust record in protecting consumers and preserving competition in the marketplace...Speaking for the Commission, Chairman Deborah Platt Majoras said that much of the work of the FTC’s Bureau of Consumer Protection has been devoted to data security and identity theft, technology risks to consumers, fraud in the marketing of health care products, financial practices, telemarketing fraud, and enforcement of the National Do Not Call Rule."
August 31, 2007: Draft Special Publication 800-28 Revision 2 Guidelines on Active Content and Mobile Code (60 pages, PDF)
Analysis of Loss of Control Over Sensitive Personally Identifiable Information and Follow-up Actions to Strengthen its Protection, August 28, 2007. Correspondence (23 pages, PDF)
August 29, 2007: "NIST announces the publication of Special Publication (SP) 800-95, Guide to Secure Web Services (128 pages, PDF). SP 800-95 seeks to assist organizations in understanding the challenges in integrating information security practices into Service Oriented Architecture (SOA) design and development based on Web services. The publication also provides practical, real-world guidance on current and emerging standards applicable to Web services, as well as background information on the most common security threats to SOAs based on Web services. SP 800-95 presents information that is largely independent of particular hardware platforms, operating systems, and applications. Supplementary security devices (i.e., perimeter security appliances) are considered outside the scope of this publication. Interfaces between Web services components and supplementary controls are noted as such throughout this publication on a case-by-case basis."
Erickson, K., & Howard, P. (2007). A case of mistaken identity? News accounts of hacker, consumer, and organizational responsibility for compromised digital records. Journal of Computer-Mediated Communication, 12(4), article 5.
"Consumers can take many measures to make their laptop secure from hackers, viruses, and other potential threats, such as installing firewalls, updating antivirus software, and using strong passwords. Now, the Federal Trade Commission is offering tips for protecting laptops from theft."
"The risk associated with using the Internet remains high. Our State of the Net assesses the likelihood and impact of four leading online hazards, listed in order of incidence, based on the survey by the Consumer Reports National Research Center and our follow-up investigation."
Press release: "If Assistant Professor of Communication at the University of Washington Phil Howard's calculations prove true, by year's end the 2 billionth personal record -- some American's social-security or credit-card number, academic grades or medical history -- will become compromised, and it's corporate America, not rogue hackers, who are primarily to blame. By his reckoning, electronic records in the United States are bleeding at the rate of 6 million a month in 2007, up some 200,000 a month from last year."
Press release: "The FBI’s Internet Crime Complaint Center (IC3) today released its annual Internet Fraud Crime Report. From January 1 through December 31, 2006, the center received 207,492 complaint submissions. These filings were composed of fraudulent and non-fraudulent complaints primarily related to the Internet and included many different fraud types to include auction fraud, non-delivery, and credit/debit card fraud, as well as non-fraudulent complaints, such as computer intrusions, spam/unsolicited email..."
Press release: "...the Department of Commerce's United States Patent and Trademark Office (USPTO) released a report that concludes that the distributors of five popular filesharing programs repeatedly deployed features that they knew or should have known could cause users to share files inadvertently. The report, Filesharing Programs and "Technological Features to Induce Users to Share, identifies five features in recent versions of five popular filesharing programs that could cause users to inadvertently distribute to others downloaded files or their own proprietary or sensitive files. "Computer programs that can cause unintended filesharing contribute to copyright infringement, and they threaten the security of personal, corporate, and governmental data," noted Jon Dudas, under secretary of commerce for intellectual property-the Bush Administration's point person on copyright policy."
E-Commerce Times:
Follow up to February 19, 2007 posting, Google Publishes Study on Failure Rates of Hard Disk Drives, from the 5th USENIX Conference on File and Storage Technologies and Awarded Best Paper, Disk Failures in the Real World: What Does an MTTF of 1,000,000 Hours Mean to You?
A Comprehensive Emergency Management Program - A Model for State and Territorial Courts 2007 , February 2007 (187 pages, PDF).
Failure Trends in a Large Disk Drive Population, Eduardo Pinheiro, Wolf-Dietrich Weber, Luiz André Barroso, 5th USENIX Conference on File and Storage Technologies (FAST 2007), 2007
2007-P-00008 EPA Could Improve Controls Over Mainframe System Software [Report PDF - 35 pages] [At a Glance -PDF] January 29, 2007.
Convergence of Physical and Cyber Technologies and Related Security Management Challenges Working Group Final Report and Recommendations (PDF, 42 pages), January 19, 2007 and Transmittal Letter (PDF, 2 pages), January 19, 2007.
Federal Chief Information Officer Council Strategic Plan FY 2007-2009 (28 pages, PDF), January 17, 2007.
LexisNexis press release: "Most office workers use workplace technology for personal reasons; many may be ignoring employer policies, new research shows...Despite the fact that nearly one-half (45%) of office workers have been explicitly informed their at-work technology usage is monitored, a majority still use their employers’ technology resources for personal reasons, according to a new survey conducted by Harris Interactive®..."
Covers PDF creation, security, Bates numbering, redaction, eFiling and more. Sign Up Here.
Press release, January 4, 2007: "Cisco today announced a definitive agreement to acquire the privately held company, IronPort Systems, Inc. of San Bruno, Calif. IronPort is a leading provider of messaging security appliances, focusing on enterprise spam and spyware protection."
Related news:
Improved Administration Can Enhance U.S. Customs and Border Protection Laptop Computer Security (Redacted), OIG-07-16 (PDF, 37 pages), January 4, 2007.
Federal Computer Week reported that the Department of Defense has banned the use of Outlook and receipt of HTML email due to threats posed by spyware and viruses.
Press release: "Consumer Reports' environmental website has
launched an online Electronics Reuse and Recycling Center. The Center features thoroughly researched, unbiased, expert advice to help de-clutter your home and solve the huge and growing problem of electronics waste. It also features the results of a March 2006 nationwide, online survey including information about why people replace their electronics and what they did with their old equipment."
From Bank System and Technology:
Press release: "The Commission today called on all regulatory authorities and stakeholders in Europe to step up the fight against spam, spyware and malicious software. Despite existing EU legislation to outlaw spam in Europe, Europe continues to suffer from illegal online activities from inside the EU and from third countries, the Commission underlines in a new Communication. The Communication stresses that although internet safety is on the political agenda for some time, national authorities should step up their actions to prosecute illegal online activities."
Status Report on OIG Data Security via the Data Security Portal: "Our November 21, 2006, status report notes several important developments, including the fact that as a result of our investigation in cooperation with the Federal Bureau of Investigation and the Miami-Dade County Police Department, two individuals have been arrested for their alleged roles in a small Miami-area laptop theft ring. While the OIG's laptops have not been recovered, there has been no credit fraud resulting from the laptop thefts and we believe that the risk of credit fraud in the future is very low. A firm hired to perform data breach analysis has failed to find any misuse of information on the laptops, and will continue to analyze the information..."
Information Security: Agencies Need to Develop and Implement Adequate Policies for Periodic Testing. Full text, GAO-07-65, and Highlights, October 20, 2006.
Press release: "Symantec Corp...announced the opening of the Symantec Phish Report Network to consumers worldwide. As one of the world's leading antifraud communities, the Symantec Phish Report Network, launched in May 2006, allows member companies to contribute and receive fraudulent Web site addresses that they can use in their antiphishing solutions to help protect users from online fraud. Consumer input further helps the Symantec Phish Report Network's fight against online fraud and will aid in preventing other computers users from becoming victims."
Press release: "A U.S. district court has shut down an operation that secretly downloaded multiple malevolent software programs, including spyware, onto millions of computers without consumers’ consent, degrading their computers' performance, spying on them, and exposing them to a barrage of disruptive advertisements. The Federal Trade Commission has asked the court to order a permanent halt to these deceptive and unfair downloads, and to order the outfit to give up its ill-gotten gains."
Federal Trade Commission, Plaintiff, v. ERG Ventures
Follow-up to previous postings on e-waste, see this New York Times article, Clearing a path from desktop to the recycler, by Paul Vitello. "The Environmental Protection Agency estimates that people threw away 2.5 million tons of electronic equipment, known as e-waste, last year, about 10 percent of which was recycled."
"The Symantec Internet Security Threat Report offers analysis and discussion of threat activity over a six-month period. It covers Internet attacks, vulnerabilities, malicious code, phishing, spam, security risks, and future trends. The tenth version of the report, released September 25, is now available."
Press release: "In a report released today, Reps. Davis and Waxman summarize information provided to the Committee by 19 federal departments and agencies regarding the loss or compromise of personal information since January 2003. The report finds that every agency has experienced at least one such breach and that the agencies do not always know what information has been lost or how many individuals could be affected."
Key Conclusions:
Press release, October 4, 2006: "As information security concerns among consumers and other customer constituencies rise, just 29 percent of marketers say that their firm has a crisis containment plan in case of a security breach, according to findings of a major research initiative by the Chief Marketing Officer (CMO) Council. Without such a plan and other security strategies in place, companies are at risk of losing hundreds of million of dollars in market value and loss of reputation and brand trust, according to the study's findings."
Launched today, the Take a Byte Out of Cybercrime website: "Led by the beloved McGruff character, the National Crime Prevention Council, the CMO Council and FAME have joined forces to bring together one of the largest and most influential coalitions of private and public companies whose primary goal is to teach millions of consumers how to identify, report and protect themselves against cyber crime." [download the tip sheets]
(U) Office of Inspector General Laptop Computers are Susceptible to Compromise (Unclassified and Redacted) OIG-06-58 (PDF, 48 pages), released October 2, 2006.
Department of Defense Office of the Inspector General -- Audit Summary of Information Assurance Weaknesses Found in Audit Reports Issued from August 1, 2005, through July 31, 2006 - Report No. D-2006-110 (PDF) - Date: September 14, 2006.
Press release: "The U.S. Department of Homeland Security (DHS) announced today the release of the Cyber Storm Public Exercise Report. The report details key findings from Cyber Storm which was the largest and most complex multi-national, government-led cyber exercise to examine response, coordination, and recovery mechanisms to a simulated cyber event within international, federal, state, and local governments and in conjunction with the private sector."
SEARCH, The National Consortium for Justice Information and Statistics - Collecting Evidence from a Running Computer: A Technical and Legal Primer for the Justice Community, August 2006.
Government Computer News: "China has downloaded 10 to 20 terabytes of data from the NIPRNet (DOD's Non-Classified IP Router Network)," said Maj. Gen. William Lord, director of information, services and integration in the Air Force's Office of Warfighting Integration and Chief Information Officer, during the recent Air Force IT Conference in Montgomery, Ala."
Repercussions continue from AOL release of user data -- from News.com: Three workers depart AOL after privacy uproar and commentary by Anita Ramastry, Privacy and Search Engine Data: A Recent AOL Research Project Has Perilous Consequences for Subscribers.
Press release, August 14, 2006: "Washington State Attorney General Rob McKenna... announced the filing of Washington's second lawsuit under the state's computer spyware act. The state's suit accuses four California-based corporations of installing software that takes control of a consumer's computer by launching aggressive and persistent pop-ups that demand payment for a movie download service."
Ponemon Institute Releases National Survey on Confidential Data at Risk
Inappropriate Use of Email by Employees and System Configuration Management Weaknesses Are Creating Security Risks, July 31, 2006, Reference Number: 2006-20-110 (20 pages, PDF). "We found e-mail messages that violated the IRS' personal use policy in the electronic mailboxes of 71 (74 percent) of 96 employees."
StopBadware.org Blog: "We're entering a new phase here at StopBadware.org. Google—which is one of our partners—will present people with a warning before they visit websites that have been reported to StopBadware.org as sites that distribute badware. These warnings currently link to a general page on StopBadware.org, but as we finish researching sites, we'll replace the general page with one of our individual website reports (see an example here). Hopefully this next step will bring us that much closer to fulfilling our mission of providing people with reliable, objective information about downloadable applications in order to help them make better choices."
Improved Administration Can Enhance Science and Technology Laptop Computer Security (Redacted), OIG-06-42 (PDF, 36 Pages), July 27, 2006.
"CDT launched PolicyBeta, a new blog dedicated to expanding the dialogue about technology policy, civil liberties and preserving democratic values in the digital age. PolicyBeta will feature regular posts on issues ranging from domestic surveillance to spyware, and will provide CDT experts an opportunity to discuss in detail the latest trends and developments affecting the technology policy debate. CDT is encouraging journalists, technologists, academics and interested individuals to visit the blog regularly and participate in the discussion."
The Subcommittee on Financial Institutions and Consumer Credit, chaired by Rep. Spencer Bachus (AL), held a hearing today entitled "ICANN and the Whois Database: Providing Access to Protect Consumers from Phishing." Government officials contend that access to Whois data is essential in the effort to combat cybercrimes, while privacy advocates maintain that access to data on domain name holders facilitates phishing, spam and other types of fraud.
AP: "Computer break-ins at the State Department that caused broad disruptions in recent weeks apparently originated in the East Asia-Pacific region, a department spokesman said Wednesday."
Press release: "CA today announced a new security survey of 642 large North American organizations which shows that more than 84% experienced a security incident over the past 12 months and that the number of breaches continues to rise. According to the findings, security breaches have increased 17% since 2003. As a result, 54% of organizations reported lost workforce productivity; 25% reported public embarrassment, loss of trust/confidence and damage to reputation; and 20% reported losses in revenue, customers or other tangible assets. Of the organizations which experienced a security breach, 38% suffered an internal breach of security."
Press release: "CDT's report charts the important cases against spyware distributors and identifies the statutes applied, June 26, 2006."
WSJ free feature: Laptop Lockdown - Companies Start Holding Employees Responsible for Security Of Portable Devices They Use for Work
M-06-16, Protection of Sensitive Agency Information, June 23, 2006 (10 pages, PDF)
The 2006 Technology, Media and Telecommunications Security Survey (16 pages, PDF), Deloitte Touche Tohmatsu: "Security has long been neglected in the Technology, Media & Telecommunications (TMT) industry and the problem continues today. The frequency and sophistication of the attacks are growing, yet many surveyed companies tend to treat security as a relatively minor issue. So where are TMT companies falling behind? More importantly, what can they do to address this increasingly significant problem?"
Yet another report today about the theft of a laptop from the home of a government employee, this time involving info on D.C. government personnel. The issue of why so many institutions have not implemented proper security measures, such as encryption on digital media removed from the office, remains baffling.
Researchers Find Technique to Quickly Erase Hard Drives: "Scientists at the Georgia Institute of Technology (Atlanta), working with L-3 Communications Corp. (New York), said they have developed a technique for quickly erasing hard-disk drives...The researchers concluded that permanent magnets are the best solution." [Slashdot]
Hearing, Cyber Security Challenges at the Department of Energy, June 9, 2006. [note: links to member statements and witness testimony not yet available - after an open session, there was a closed session to discuss security issues related to a previously unreported data breach.]
"Active Security Monitor is a software program that helps you determine how vulnerable your PC is to computer viruses, spyware and other dangers and learn what steps you can take to improve your protection. And if you have more than one PC in your home network, you can use Active Security Monitor to check the security status of your entire home network.' [Link]
Outbound Email and Content Security in Today's Enterprise, 2006 (free reg. reg'd): "Enterprises are becoming increasingly concerned about creating, managing and enforcing outbound email policies that ensure that messages leaving the organization comply with both internal rules as well as external regulations."
Press release: "A new cyber security study released today highlights the difference between perception and reality of consumers' awareness of online scams and their actual online behavior. While 87 percent of consumers polled said they were confident they could recognize fraudulent e-mails, 61 percent failed to identify a legitimate e-mail. Most respondents categorized all e-mails in the study as fake, even though one of them was legitimate. The Online Fraud Report has been sponsored by the National Cyber Security Alliance (NCSA), a central clearinghouse for cyber security awareness and education for home users, small businesses and the education community, and Bank of America."
Press release: "Wireless Internet access can free you from the confines of cords, but not from the need for security. Without taking the proper precautions, it's easy for others to use your wireless network connection to access the Internet, or even to access the information on your own computer. The Federal Trade Commission is introducing a new section of OnGuard Online to teach computer users how to protect their personal wireless network connections – and the computers on them – from unauthorized use. The information also is available in Spanish."
The Safety of Internet Search Engines (Google, Yahoo, MSN, AOL, Ask), May 12, 2006, by Ben Edelman and Hannah Rosenbaum.
"The Committee on Energy and Commerce, to whom was referred the bill (H.R. 4127) to protect consumers by requiring reasonable security policies and procedures to protect computerized data containing personal information, and to provide for nationwide notice in the event of a security breach, having considered the same, report favorably thereon with an amendment and recommend that the bill as amended do pass." [House Report 109-453 - Part 1 - Data Accountability and Trust Act (DATA), Ordered to be printed May 6, 2006]
FTC press release: "A title company that promised consumers it maintained "physical, electronic and procedural safeguards" to protect their confidential financial information, but tossed consumer home loan applications in an open dumpster, agreed to settle Federal Trade Commission charges that its inadequate storage and disposal procedures for sensitive consumer information violated federal laws. The settlement with Nations Title Agency, Inc., Nations Holding Company, and Christopher M. Likens bars deceptive claims about privacy and security policies, and requires that they implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years."
Building and Implmenting a Successful Information Security Policy, by John J. Pak, May 8, 2006 (25 pages, PDF).
PCWorld: Never Call Tech Support Again! "Why suffer though hours on hold when you can solve the problem yourself? Whether your PC won't boot, keeps crashing, is infested with adware, or can't get to the Net, we'll help you fix it."
The Ins and Outs of Spyware [15 pages, PDF] April 24, 2006: "Lesley Herring discusses what spyware is, categories of spyware, types of spyware, symptoms of spyware, research sites to find out more information, prevention techniques, and removal tools in this contribution."
Following up on previous e-waste postings, Apple announced on April 21, 2006 a Free Computer Take-Back Program "...offering free computer take-back and recycling with the purchase of a new Macintosh® system beginning in June. US customers who buy a new Mac® through the Apple Store® or Apple's retail stores will receive free shipping and environmentally friendly disposal of their old computer as part of the Apple Recycling program. Equipment received by the program in the US is recycled domestically and no hazardous material is shipped overseas."
EPA Needs to Better Implement Plan for Protecting Critical Infrastructure and Key Resources Used to Respond to Terrorist Attacks and Disasters. Information on the initiatives in the full report is sensitive homeland security information and is not available to the [At a Glance - 1 page, PDF]
Those Pesky Passwords - Too many and too complicated to remember, passwords make users crazy and incur help desk expense. What should you do about it? by Larry Ponemon:
From Viviane Reding, Member of the European Commission responsible for Information Society and Media, "Safety on the Net" (7 pages, PDF), (09/02/06).
Symantec Internet Security Threat Report, Volume IX: March 2006 Highlights.
New York Times: Cyberthieves Silently Copy Your Passwords as You Type
New York Times: Too Many New Gadgets, Too Much Information at Risk: Loss, theft and viruses are major issues as corporate use of handheld devices and pocket PCs increases. Pre-emptive security options are available however, as this article describes.
Managing Cybersecurity Resources: A Cost-Benefit Analysis "details guidelines for using sound and measurable principles of cost-benefit analysis, as a compliment to gut instinct, to efficiently allocate and manage cybersecurity resources within your organization. Written by two globally acknowledged leaders in the increasingly critical area of cybersecurity (Lawrence A. Gordon and Martin P. Loeb), this comprehensive exploration presents:
Responding to Security Incidents on a Large Academic Network: by Jamie Riden 02/14/06 (9 pages, PDF). "This paper describes a series of security incidents on a large academic network, and the gradual evolution of measures to deal with emerging threats."
"The goal of National Computer Security Survey (NCSS) is to produce reliable national and industry-level estimates of the prevalence of computer security incidents (such as denial of service attacks, fraud, or theft of information) against businesses and the resulting losses incurred by businesses. The first national survey of thousands of businesses is being conducted in 2006. Sponsors: U.S. Department of Justice, Bureau of Justice Statistics and the U.S. Department of Homeland Security, National Cyber Security Division (NCSD)."
Related government documents:
Press release: "The Federal Deposit Insurance Corporation (FDIC) today released an on-line multimedia education tool that consumers can use to learn how to better protect their computers and themselves from identity thieves. The presentation also features actions consumers can take if their personal information has been compromised. Identity theft continues to be one of the fastest growing crimes in the United States, and has ranked as one of the top consumer concerns for the past several years. Identity theft is evolving in more complicated ways that make it harder for consumers to protect themselves, and easier for criminals to set up virtual storefronts on the Internet to sell confidential personal information."
Press release: "The National Association of State Chief Information Officers (NASCIO), which represents the chief information officers (CIOs) of the states, and the Metropolitan Information Exchange (MIX), an association of county and municipal CIOs, have released findings from a pair of surveys of state and local government cybersecurity preparedness."
New 2005 FBI Computer Crime Survey (19 pages, PDF). "The survey, developed and analyzed with the help of leading public and private authorities on cyber security, is based on responses from a cross-section of more than 2,000 public and private organizations in four states."
"After an extensive public comment period and review, the Anti-Spyware Coalition has released the Final Working Report of the Spyware Definitions. In addition, ASC has released a number of supporting documents, including a Vendor Dispute Resolution Process, a Glossary and a set of Safety Tips for Users."
"OnGuardOnline.gov provides practical tips from the federal government and the technology industry to help you be on guard against Internet fraud, secure your computer, and protect your personal information."
Malware - Future Trends, by Dancho Danchev,10/01/06 (26 pages, PDF).
From InformationWeek, this straight forward guide for PC users takes you through a five step process to identify and eliminate problems before they overtake you.
Report to Congress on the Benefits of the President's E-Government Initiatives, January 6, 2006. (183 pages, PDF)
According to a CNET News.com article by Declan McCullagh, pledges by many U.S. Senators not to use cookies on their e-gov sites have, in at least 23 instances, gone unfulfilled. This is in following with recent news about the use of tracking technology on other e-gov sites, including the White House and NSA.
Spy? Where?: Understanding Spyware, by Benny C. Rayner, 03/01/06 (14 pages, PDF): "Spyware is a pest no matter which way you think about it. Whether it’s causing you to have numerous pop-ups or it is consuming all of your system resources; spyware is a menace to be reckoned with."
How to Write Better Passwords, by Sarah D. Scalet
Press release: Phishing attacks aimed at identity theft now affect roughly one in four Americans (23%) each month, according to the second annual AOL/National Cyber Security Alliance (NCSA) Online Safety Study (11 pages, PDF). Additionally, more than two-thirds of consumers (70%) who received such scam e-mails thought they were from legitimate companies, putting them at high risk of losing sensitive personal information to identity thieves or criminals. The AOL/NCSA Online Safety Study is the largest study of its kind, sending technical experts into hundreds of typical homes to examine personal computers for known security risks and threats."
Following up on previous postings about phishing, the New York Times yesterday published an article, Gone Spear-Phishin' detailing the extent, impact and intent of cybercriminals who launch Trojans to steal the data of individuals and corporations, for both profit and personal reasons.
Windows OneCare Team Blog: "WOC is devoted to helping users' get their machines in a secure and healthy state."
FTC press release: "An operation that uses the lure of free lyric files, browser upgrades, and ring tones to download spyware and adware on consumers' computers has been ordered to halt its illegal downloads by a U.S. District Court at the request of the Federal Trade Commission. The court also halted the deceptive downloads of an affiliate who helped spread the malicious software by offering blogs free background music. The music code downloaded by the blogs was bundled with a program that flashed warnings to consumers who visited the blog sites about the security of their computer systems. Consumers who opted to upgrade by clicking, downloaded the spyware onto their computers."
Following up on previous postings related to security risks associated with discarding PC hard drives, the parallel environmental toll of the expanding amount of e-waste generated by constant hardware upgrades, via the The Basel Action Network (BAN):
Hale, Robert V., Wi-Fi Liability: Potential Legal Risks in Accessing and Operating Wireless Internet. Santa Clara Computer and High Technology Law Journal, Vol. 21, p. 543.
"Microsoft has teamed up with the National Cyber Security Alliance (NCSA) to help increase Internet security through a month-long awareness-raising campaign that provides information and sponsored events for consumers, small businesses, educators, and families. This year, the National Cyber Security Awareness Month campaign begins October 1, 2005...Events for this year's campaign include conferences and workshops in several cities across the U.S. For more information and a list of events, visit the NCSA Web site."
The Global State of Information Security 2005
Symantec Internet Security Threat Report, Volume VIII, September 2005 (requires free registration): "The Symantec Internet Security Threat Report is an analysis and discussion of Internet security activity over the past six months. It covers Internet attacks, vulnerabilities, malicious code, and future trends. This edition of the Threat Report, covering the first six months of 2005, marks a shift in the threat landscape. Attackers are moving away from large, multipurpose attacks on network perimeters and towards smaller, more focused attacks on client-side targets. The new threat landscape will likely be dominated by emerging threats such as bot networks, customizable modular malicious code, and targeted attacks on Web applications and Web browsers. Unlike traditional attack activity, many current threats are motivated by profit. They often attempt to perpetrate criminal acts, such as identity theft, extortion, and fraud."
"OnGuardOnline.gov provides practical tips from the federal government and the technology industry to help you be on guard against Internet fraud, secure your computer, and protect your personal information."
How to Combat Spyware in Corporate Environments - "A vendor contribution from Panda Soft on Spyware...Spyware downloaded to companies can steal confidential information, reduce the performance of the IT infrastructure, due to the resources used by non work-related activity and loss of employee productivity, who have to deal with changes to system settings and unwanted advertisements." (20 pages, PDF)
"The new National Vulnerability Database (NVD) from the National Institute of Standards and Technology (NIST) will make it easier for system administrators and other security professionals to learn about vulnerabilities and how to remediate them. The NVD is a comprehensive database that integrates all publicly available U.S. government resources on vulnerabilities and provides links to many industry resources. NVD is built upon a dictionary of standardized vulnerability names and descriptions called Common Vulnerabilities and Exposures." [NIST Alert]
From the New York Times, The Rise of the Digital Thugs chronicles the under-reported, yet growing, threat to corporations from "cyber extortionists" seeking bribes in return for withholding data and information obtained by breaching networks.
Related reference:
From the Univ. of Maryland Center for Public Policy and Private Enterprise, The CSI/FBI Computer Crime and Security Survey, by Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn and Robert Richardson, 2005 (26 pages, PDF).
Security Guide for Small Business - "This guide helps explain why security is important to your business and outlines steps to better security."
Spyware - Guidance on Mitigating Risks From Spyware FIL-66-2005, July 22, 2005
From WSJ free content, Information Security - Where the Dangers Are: The threats to information security that keep the experts up at night -- and what businesses and consumers can do to protect themselves.
Information Security: Department of Homeland Security Needs to Fully Implement Its Security Program GAO-05-700, June 17, 2005. Highlights.
Alert Overview: "The United States Computer Emergency Readiness Team (US-CERT) has received reports of an email based technique for spreading trojan horse programs. A trojan horse is an attack method by which malicious or harmful code is contained inside apparently harmless files. Once opened, the malicious code can collect unauthorized information that can be exploited for various purposes, or permit computers to be used surreptitiously for other malicious activity. The emails are sent to specific individuals rather than the random distributions associated with a phishing attack or other trojan activity...These attacks appear to target US information for exfiltration. This alert seeks to raise awareness of this kind of attack, highlight the important need for government and critical infrastructure systems owners and operators to take appropriate measures to protect their data, and provide guidance on proper protective measures."
A press release on the new Pew Internet and American Life Project Report released this afternoon: "Spyware and the threat of unwanted programs being secretly loaded onto computers are becoming serious threats online. Nine out of ten internet users say they have adjusted their online behavior out of fear of falling victim to software intrusions. Unfortunately, many internet users' fears are grounded in experience - 43% of internet users, or about 59 million American adults, say they have had spyware or adware on their home computer. Although most do not know the source of their woes, 68% of home internet users, or about 93 million American adults, have experienced at least one computer problem in the past year that are consistent with problems caused by spyware or viruses."
From the FTC: The US SAFE WEB Act - Protecting Consumers from Spam, Spyware, and Fraud, released July 1, 2005
As a follow-up to my previous posting, NY AG Sues Net Marketer For Installing Spyware on Millions of PCs, see this press release dated June 14, 2005:
Consumer Reports WebWatch Investigations - Wireless Networks Offer Flexibility, Potential Snooping, offers a quick overview of security issue and makes recommendations on enabling safety solutions for home and on the road.
AP reported that an audit revealed Montana state agencies failed to scrub the hard drives of state computers containing personal data (including social security numbers, income tax reports and medical records) prior to donating, selling and otherwise transferring their ownership.
FTC press release today: FTC, Partners Launch Campaign Against Spam "Zombies": "The Federal Trade Commission and 35 government partners from more than 20 countries have targeted the technology trick used by illegal spammers to tap into consumers' home computers and use them to send millions of pieces of illegal spam. Spammers use hidden software that allows them to hijack consumers' home computers and route spam through them. By routing their emails through "zombie" computers, the spammers are able to hide the true origin of the spam from consumers and make it more difficult for law enforcement to find them. Consumers often do not discover that they, themselves, have been sending spam."
Antispyware legislation redux: HR 29 and HR 744 were passed yesterday with only one and four dissenting votes respectively.
Information Security: Federal Agencies Need to Improve Controls over Wireless Networks GAO-05-383, May 17, 2005. Highlights.
Press release: Microsoft to Deliver Automated, All-in-One PC Health Service for Consumers
This NewScientist.com article suggests that Teamwork will beat the spammers by using a social network to identify spam in a dynamic, collaborative effort.
Senate Commerce Committee on Spyware, May 11 2005
Two recent articles worth review that cite a number of recent surveys, along with accompanying statistics, detailing corporate security leaks. The more general article is from Internetnews.com and notes that Gartner Group research identifies 70% of security breaches as orginating from within organizations. This LabRat Magazine article provides additional references on data leaks as well as technical specifications related to securing documents.
Declan McCullagh interviewed Harvard net researcher extraordinare Ben Edelman about his ongoing work to identify and inform the public about spyware and adware.
Related reference:
Press release from May 3, 2005: "Webroot Software, the leading provider of anti-spyware software and other security technologies for consumers and enterprises, today released the anti-spyware industry's first comprehensive report on spyware, The State of Spyware Report (reg. req'd), an in-depth
review and analysis of the impact of spyware, adware and unwanted software on consumers and enterprises."
Press release: "More than 600 new Internet security vulnerabilities were discovered during the first quarter of 2005, according to the SANS Institute and a team of experts from industry and government. This group has identified the most critical vulnerabilities disclosed in Q1 that pose critical risks that need to be addressed through patching and other defensive actions. Individuals and organizations that do not correct these problems face a heightened threat that remote, unauthorized hackers will take control of their computers and use them for identity theft, for industrial espionage, or for distributing spam.."
802.11 Wireless Security Primer - Presentation by John MacMichael (84 pages, PDF)
Spyware Installation Methods, by Benjamin Edelman, updated April 11, 2005. "This page indexes installation methods used by spyware programs and other unwanted software."
From tom's networking (Jim Ray's links), this article reviews and documents a recent FBI demonstration of how quickly experts can hack a 128-bit WEP (wired equivalent privacy) key.
eWeek reports on a class action lawsuit against DirectRevenue claiming that the company "deceptively downloaded harmful and offensive software..." [PDF via Broadbandreports.com]
Keyloggers Foiled In Attempted $423 Million Bank Heist
"Here at the Microsoft Security Response Center, we investigate thousands of security reports every year. In some cases, we find that a report describes a bona fide security vulnerability resulting from a flaw in one of our products; when this happens, we develop a patch as quickly as possible to correct the error. In other cases, the reported problems simply result from a mistake someone made in using the product. But many fall in between. They discuss real security problems, but the problems don't result from product flaws. Over the years, we've developed a list of issues like these, that we call the 10 Immutable Laws of Security. Don't hold your breath waiting for a patch that will protect you from the issues we'll discuss below. It isn't possible for Microsoft—or any software vendor—to "fix" them, because they result from the way computers work. But don't abandon all hope yet—sound judgment is the key to protecting yourself against these issues, and if you keep them in mind, you can significantly improve the security of your systems." [Link]
On March 2, I referenced several sources advocating destroying hard drive platters as the only reliable means of permanently wiping the data. As a follow-up, take a look at this movie gallery of shredding demonstrations that includes CD's/floppy discs, computer circuit boards, and whole computers (requires Flash player). [blogdex]
Press release: "Symantec has been granted U.S. patent number 6,851,057 for a system that enables the detection of complex viruses, worms, and spyware. The technology, "data driven detection of viruses," is employed throughout Symantec's portfolio of industry-leading information security solutions at the desktop, server, and gateway for both consumers and enterprises."
On February 23, 2005 the UK Home Office launched ITsafe "to provide both home users and small businesses with proven, plain English advice to help protect computers, mobile phones and other devices from malicious attack."
"Leading IT companies including Cisco Systems, Microsoft, and Symantec are promoting a rating system that will standardize the measurement of the severity of software vulnerabilities." [Link]
VoIP Leaders Form Alliance for VoIP Security Research and Testing: "The industry's first Voice over Internet Protocol (VoIP) Security Alliance was launched today in conjunction with leading VoIP vendors, providers, security researchers, and thought leaders to discover and reduce VoIP security risks. A complete list of members can be accessed at www.voipsa.org."
Law Barring Junk E-Mail Allows a Flood Instead. Another article joins the chorus complaining about the failure of the CAN-SPAM Act to stem the tide of junk email, and highlights how industry, government and advocacy groups continue to do battle against the threats. From the perspective of the spammers however, it is a lucrative business, facilitated by using offshore servers as well as "network zombies."
New Research Shows That Identity Theft Is More Prevalent Offline with Paper than Online:
Press release: "A poll (686 respondents) conducted by WatchGuard Technologies, Inc...reveals that two-thirds of IT managers and administrators believe spyware will be the number one threat to network security over the next twelve months. Spyware is a growing category of malicious software that installs on a computer without the user's knowledge and it can secretly gather information about a person or organization...Sixty-six percent of those questioned said that spyware will pose a greater threat to their networks than viruses or phishing attacks in 2005."
Securing Your Starbucks Experience, by Wayne Rash. See also this related article by Wayne,
Five Tips For Boosting Wireless Security.
Newly published research from Ben Edelman: see Investors Supporting Spyware. He lists US companies who produce spyware, their investors and how much venture funding was provided to each project (along with links to relevant SEC filings).
A Primer on Fighting Spyware, by Walter S. Mossberg (from the WSJ, reprinted by Webroot Software, whose product, Spy Sweeper, is recommended in this article.) I run SpyBot Search and Destroy daily on my home PC, and tested Spy Sweeper which indicated that my risk was "low." Remain diligent about using one, or more, of the recommended applications, as often as you can.
In this comparison of MS AntiSpyware vs Ad-Aware vs SpyBot, Microsoft's beta application receives high marks for form, features and function.
Press release: Technology experts and scholars foresee a bigger role for the internet in people's personal and work lives in the next decade:
"Ecycling" Government Computers Under Recycling Electronics and Asset Disposition Services: "For the first time, EPA is awarding contracts to help the entire federal government recycle or properly dispose of computers and other electronic equipment. The new program will prevent hazardous substances inside these items from entering landfills. For example, each computer monitor contains six pounds of lead. All of this equipment contains components that can be reused in the current marketplace or recycled."
Terminating Spyware With Extreme Prejudice chronicles efforts to be rid of spyware and adware programs using the extreme method of reformatting a PC hard drive, after all other avenues had failed.
"CleanSoftware.org is a resource to help Windows users find the best free daily-use software, free from nasties: adware, spyware, harmful/intrusive components, and threats to privacy." (via Slashdot) Versions of the software included are accompanied by red, yellow and green dots indicating the level of reliability.
From the RedSiren press release: "A new survey of computer security professionals reveals that while many of them believe that the time they need to comply with increased government regulations has cut into their ability to secure their computer networks, they also admit that those networks are safer as a result."
This straight forward guide from PC World describes why you need to use a firewall, how they work, and hardware and software options.
A trio of PowerPoint presentations providing resources on the following timely issues:
"Some anti-spyware companies use confusing ads, and our tests show their $20-$60 products are less effective than free competitors." [Link]
From Ars Technica this two part article on spyware -
From the press release: "The AOL/ NCSA Online Safety Study (9 pages, PDF) – conducted by technical experts in the homes of 329 typical dial-up and broadband computer users – found that most computer users think they are safe but lack basic protections against viruses, spyware, hackers, and other online threats. In addition, large majorities of home computer users have been infected with viruses and spyware and remain highly vulnerable to future infections. Yet at the same time, most keep sensitive personal and financial information on their computers."
From email security provider CipherTrust, this report details research on the origin, method of dissemination, and targets of phishing attacks.
"GetNetWise is a public service brought to you by a wide range of Internet industry corporations and public interest organizations. The GetNetWise coalition wants Internet users to be only "one click away" from the resources they need to make informed decisions about their and their family's use of the Internet."
Update to 10/08/04 posting, FTC Files Case Against Two Companies Who Market Spyware, that included a link to the complaint, see the 10/12/04 FTC press release, FTC Cracks down On Spyware Operation, for additional comments.
The SPY Act, H.R. 2929, To protect users of the Internet from unknowing transmission of their personally identifiable information through spyware programs, and for other purposes, was approved today by the House. See the accompanying House Report 108-619.
The State of Information Security, 2004, A Worldwide Study Conducted by CIO Magazine and PricewaterhouseCoopers (Executive Summary).
From Reuters, news that two bills have been ordered reported by the House Judiciary Committee:
From InformationWeek, Special Report: Readers Take The Offensive Against Spyware. Includes the following articles:
Recovering from a Trojan Horse or Virus, August 12, 2004.
PestControl, a PC security company, today launched the Center for Pest Research, offering consumers a range of resources to assist in the effort to combat spyware. The site offers updated spyware analysis, whitepapers, how-to guides to identify, locate and eliminate "pests," and an searchable Alphabetical Index to 21,109 Pest Descriptions."
This AP article provides practical advise on how to formulate and secure the passwords which are increasingly necessary to access network applications and websites, whether at work, for consumer transactions or general enlightenment.
From Websense's fifth annual Web@Work survey, April 26: "92 Percent of Organizations with at Least 100 Employees Have Been Contaminated With Spyware, Yet Only Six Percent of Employees Believe They Have Been Infected."
"The Center for Information Policy (CIP), University of Maryland, is a multidisciplinary research center that analyzes and provides solutions to current policy issues relating to the convergence of information and technology...Privacy, intellectual property and information security are just a few of the areas where CIP offers independent, unbiased quality analysis, advice and proposals for action."
From yesterday's FTC Spyware Workshop, the Consumer Software Working Group Examples of Unfair, Deceptive or Devious Practices Involving Software, "endorsed by a broad coalition of software companies, Internet service providers, anti-spyware technology vendors, and consumer groups convened by the Center for Democracy and Technology (CDT)."
The BBC reports that the results of recent surveys of London commuters, requesting their PC login passwords in exchange for chocolate, were that a majority of respondents provided them without hesitation. Must be really good chocolate! In addition, the survey established that pet names are all too often passwords of choice, and are also willingly shared. Scroll to the end of the article and review the reader comments as well.
"SecurityDocs.com is a directory of information security articles, white papers, and other documents that information security professionals find useful." The site currently links to 1710 information papers in 88 categories that include Laws and Regulations, Wireless Security, Intrusion Detection, and Computer Security 101. [Hot Links]
From the press release: "The Corporate Governance Task Force of the National Cyber Security Partnership (NCSP) today released a management framework and call to action to industry, non-profits and educational institutions, challenging them to integrate effective information security governance (ISG) programs into their corporate governance processes."
A useful checklist of safety recommendations from the FTC, Better Business Bureau and the National Cyber Security Alliance focuses on issues that include password and virus protection, using firewalls and updating security patches, the risks of file sharing, the utility of encryption, and employee education.
From the Washington Post, Online Financial Crime Headed From Bad to Worse. Worms, viruses and browser flaws will all continue to pose security risks for enterprise wide networks and home users alike in 2004.
Rep. Adam Putnam, (R-Fla.) in conjunction with the House Government Reform Committee's Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, issued a comparison chart, using an A through F grading scheme, to evaluate government agency information security in 2002 and 2003. It should be noted that the governmentwide average rose from an F to a D this past year. Feel more secure now! See this Federal Computer Week article for more details as well as to review a copy of the chart.
From the Center on Democracy and Technology (CDT), a new report, Ghosts in Our Machines: Background and Policy Proposals on the "Spyware" Problem" offers a straight-forward review of how spyware programs operate, how to locate and disable them, and federal laws that in some measure address this technology, albeit with less than satisfactory results for consumers. In conjunction with this report, the CDT has launched a Campaign Against "Spyware" in an effort to gather information from consumers which will then become part of a complaint to be filed with the FTC.
New worm variant targets identity data:
The House Energy and Commerce Committee Telecommunications and the Internet Subcommittee held a hearing on November 6 entitled, Computer Viruses: The Disease, the Detection, and the Prescription for Protection:
"Microsoft Corp. today announced the creation of the Anti-Virus Reward Program, initially funded with $5 million (U.S.), to help law enforcement agencies identify and bring to justice those who illegally release damaging worms, viruses and other types of malicious code on the Internet. Microsoft will provide the monetary rewards for information resulting in the arrest and conviction of those responsible for launching malicious viruses and worms on the Internet. Residents of any country are eligible for the reward, according to the laws of that country, because Internet viruses affect the Internet community worldwide." [Link]
Microsoft's new Windows Server 2003 allows users to implement digital rights management applications for Word, Excel and PowerPoint documents as well as Outlook emails. [Link] See my previous posting on this new version here.
The Great American Privacy Makeover:
According to PCWorld.com, Microsoft may institute automatic security updates via a default option.
See H.R. 3159 [Report No. 108-305], To require Federal agencies to develop and implement plans to protect the security and privacy of government computer systems from the risks posed by peer-to-peer file sharing.
The Electronic Frontier Foundation's new report, Trusted Computing: Promise and Risk:
From PCWorld.com, this article has some useful information about malicious applications that can bypass your firewall and clutter your computer screen with unwanted ads and plug-ins. Suggested solutions include the use of programs, available in free and fee versions, that identify and delete stealthware (including Spybot Search & Destroy and Ad-aware 6).
Sleuths Try to Stay Step Ahead of Online Worms. Computer security and antivirus companies around the world are working to stay one step ahead of viruses that are increasingly impacting corporations, government agencies and home users. These "virus sleuths" are also assisting the FBI to track down and minimize the damage from malicious worms such as the recent SoBig.F.
Princeton University computer science professor, author, security expert, and of course, blogger (his blog is called Freedom to Tinker, Ed Felten warns in this interview of "A collision is happening between creativity and protecting intellectual property."
Resources and news of note on Super DMCA legislation ("to combat broadband and communications piracy") that is proliferating at the state level, driven in large measure by relentless lobbying on the part of the Motion Picture Assocation of America (MPAA), and which, for the most part, is based on the organization's proposed model legislation. The Broadband & Internet Security Task Force, an industry sponsored organization, is also a key player in the effort to enact such legislation.
From the American Library Association (ALA), see this 'Super' DMCA State Legislation Table. Via Tech Law Advisor, this commentary on pending Florida legislation (H79 and S1078) contends the legislation "would take away your right to potentially own or operate a TiVo, network firewall, or WiFi device. Not to mention your right to privacy..."
From the Chronicle for Higher Education, a Michigan grad student moved his research on information hiding techniques (steganography) to a server in the Netherlands for fear of prosecution under Michigan's Public Act 672, which prohibits conduct with regard to telecommunications access devices.
And from Information Week, this article about software developer Tom Liston's network security application to fight worms, called LaBrea. Mr. Liston has been directly impacted by Super DMCA legislation enacted on January 1, 2003 in Illinois, such that he felt compelled to remove his software from public access via the Hackbuster site, on April 16.
Key logging software has been around for quite awhile. Companies use it to 'virtually' stand over the shoulders of employees and read every letter typed on their keyboards. But this software is also used by hackers to commit identity theft, as was the case with nefarious installations on the computer systems of major universities throughout the country, as reported this past June.
Anti-key logging programs are available to detect monitoring (SpyCop and Anti-keyloggers are two examples). However, TechTV reports that a "black code" written into the key logging programs causes PCs to crash when the defensive software is detected.
As promised, the FTC has introduced a new web site and mascot in an effort to promote safe use of the Internet by parents as well as children. Hence, I suppose, the use of Dewie, the biped turle mascot, holding a laptop computer.
This Wired article details the data security issues inherent in the sale or donation of used PCs, even those whose hard drives have been removed. Personal or corporate data can be pirated even "from the RAM chips and CPU core."
The FTC announced today that they will unveil a new mascot called Dewie on September 26, at the Privacy2002 conference. Can't wait!
From the White House, this 65 page PDF draft report is divided into 5 content areas: Home User and Small Business; Large Enterprises; Critical Sectors (federal government, state and local government, higher education and private sector); National Priorities; and Global.
Public comments on the Draft Strategy to Secure Cyberspace will be accepted until November 12, 2002, via feedback@who.eop.gov.
Two brief but useful related resources on PC security are: Cybersecurity and You: Five Tips Every Consumer Should Know, and A Cybersecurity Primer: Links and Resources for Computer Users.
See also, Bush's computer 'culture of security' relies on users, September 19, 2002.